nanocore | 34affaaba3a4e52459471d0f1591fce1a555bd1525512a241bc0542dbe0f3e9e

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/01/2023, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TNT AWB TRACKING DETAILS.exe
Size

552KB
MD5

92d6b5ea0091ae3fab2cd511b70260cc
SHA1

a1a12e265c8ab6391b907484c9cbc78d2f8aa3a7
SHA256

34affaaba3a4e52459471d0f1591fce1a555bd1525512a241bc0542dbe0f3e9e
SHA512

d57be54539b39538e9302918f389e60429cd4f2c16c132a96a60497f8093208ffc65a35c8cf3074499260ff6a940675692421e36d907ff72b7ccef74555650f5
SSDEEP

12288:rYNGCXnph4rAUTJkyuLALrYoFbcQ2Kqcfay:rYIKph4BnYubLJay

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

chinomso.duckdns.org:7688

Mutex

550fe17f-82a7-425a-a9c7-b48d0fc640a0

Attributes

activate_away_mode
true
backup_connection_host
chinomso.duckdns.org
backup_dns_server
chinomso.duckdns.org
buffer_size
65535
build_time
2022-10-04T09:40:25.305842836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7688
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
550fe17f-82a7-425a-a9c7-b48d0fc640a0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chinomso.duckdns.org
primary_dns_server
chinomso.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
1972	hiocqy.exe
432	hiocqy.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	TNT AWB TRACKING DETAILS.exe
1972	hiocqy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe"	hiocqy.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hiocqy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 432	1972	hiocqy.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DDP Subsystem\ddpss.exe	hiocqy.exe
File opened for modification	C:\Program Files (x86)\DDP Subsystem\ddpss.exe	hiocqy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
768	schtasks.exe
1272	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
432	hiocqy.exe
432	hiocqy.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
432	hiocqy.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1972	hiocqy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	hiocqy.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1972	2028	TNT AWB TRACKING DETAILS.exe	28
PID 2028 wrote to memory of 1972	2028	TNT AWB TRACKING DETAILS.exe	28
PID 2028 wrote to memory of 1972	2028	TNT AWB TRACKING DETAILS.exe	28
PID 2028 wrote to memory of 1972	2028	TNT AWB TRACKING DETAILS.exe	28
PID 1972 wrote to memory of 432	1972	hiocqy.exe	30
PID 1972 wrote to memory of 432	1972	hiocqy.exe	30
PID 1972 wrote to memory of 432	1972	hiocqy.exe	30
PID 1972 wrote to memory of 432	1972	hiocqy.exe	30
PID 1972 wrote to memory of 432	1972	hiocqy.exe	30
PID 432 wrote to memory of 768	432	hiocqy.exe	31
PID 432 wrote to memory of 768	432	hiocqy.exe	31
PID 432 wrote to memory of 768	432	hiocqy.exe	31
PID 432 wrote to memory of 768	432	hiocqy.exe	31
PID 432 wrote to memory of 1272	432	hiocqy.exe	33
PID 432 wrote to memory of 1272	432	hiocqy.exe	33
PID 432 wrote to memory of 1272	432	hiocqy.exe	33
PID 432 wrote to memory of 1272	432	hiocqy.exe	33

C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\hiocqy.exe
  "C:\Users\Admin\AppData\Local\Temp\hiocqy.exe" C:\Users\Admin\AppData\Local\Temp\tmzcv.ci
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\hiocqy.exe
    "C:\Users\Admin\AppData\Local\Temp\hiocqy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1037.tmp"
      4⤵
      Creates scheduled task(s)
      PID:768
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp147C.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoclwkt.s

Filesize
301KB

MD5
81a3ecab425e8e50ada59ac5d4a01415

SHA1
e6d122d61f136c190139b9d03eb4e059aa7c865b

SHA256
efbd5085d28b795bf0d3d70283a8668ec5312a8daae4a5a6ccff2eab6893742e

SHA512
d5521c3381279c0a58ab23a438a987fd1383c572bb41eb24343fc127e820695d951d8151f00e3be64b01a003b8e46dea711bdcf9b1cd293280532c7bd45b5b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1037.tmp

Filesize
1KB

MD5
c156dcb6b87cdedf6ef8b0001bea09e4

SHA1
df77b6f0bb9c8818807c080433b2f40ef8b8636e

SHA256
76289aedd6f2744e7c0c16f06609ee7a36fa35cdda7eda651f20a41fe99ae243

SHA512
cbd4bb5db72c28c7d7070a0f01fe264acc0c3003e2bf50c64f47930d30ce0ca23e7da811223b8e7a8cb52efb1e30bbc6d813a44eddc71a0978b3881ecf7d9a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp147C.tmp

Filesize
1KB

MD5
8e2d5fba24ae8a54087d8e6cadc188c1

SHA1
548555025543b4773b8f36301f5fa5003e1c85dc

SHA256
f8a3739cca23897792b42a11a21adcce745201fa19f8d84ec66a6e0c5e519759

SHA512
9246583d7b08152cd73dc40254013e1ae4b8c93603dbb1f4e6b82624e14b134c59de6c8039b588f14075602768a388121e985f886322ae5fb9ec2eee94d4ea3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmzcv.ci

Filesize
5KB

MD5
fd89de32276854cef6b9d4563a4c7e0d

SHA1
2bedfbb03429151fbe576323811121a6ff7bf704

SHA256
c690ac0daf1c3662520cb911c16557d2fd270c59b04cc1db1d79b1cc0bdf6f17

SHA512
8f4d7e37eb5affb0ad2822057f6e6d7f6a18e174ea4f9077cd18632a5c137f32a3350ff1ac102f14d93aabdd1034bea3246a337567fcf26cd75828684cef82e8

Download Submit
\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
memory/432-65-0x00000000003C0000-0x00000000003F8000-memory.dmp

Filesize
224KB

Download
memory/432-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/432-71-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/432-72-0x0000000000930000-0x000000000094E000-memory.dmp

Filesize
120KB

Download
memory/432-73-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/2028-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download