nanocore | 34affaaba3a4e52459471d0f1591fce1a555bd1525512a241bc0542dbe0f3e9e

General

Target

TNT AWB TRACKING DETAILS.exe
Size

552KB
MD5

92d6b5ea0091ae3fab2cd511b70260cc
SHA1

a1a12e265c8ab6391b907484c9cbc78d2f8aa3a7
SHA256

34affaaba3a4e52459471d0f1591fce1a555bd1525512a241bc0542dbe0f3e9e
SHA512

d57be54539b39538e9302918f389e60429cd4f2c16c132a96a60497f8093208ffc65a35c8cf3074499260ff6a940675692421e36d907ff72b7ccef74555650f5
SSDEEP

12288:rYNGCXnph4rAUTJkyuLALrYoFbcQ2Kqcfay:rYIKph4BnYubLJay

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chinomso.duckdns.org:7688

Mutex

550fe17f-82a7-425a-a9c7-b48d0fc640a0

Attributes

activate_away_mode
true
backup_connection_host
chinomso.duckdns.org
backup_dns_server
chinomso.duckdns.org
buffer_size
65535
build_time
2022-10-04T09:40:25.305842836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7688
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
550fe17f-82a7-425a-a9c7-b48d0fc640a0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chinomso.duckdns.org
primary_dns_server
chinomso.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 3 IoCs

pid	Process
4708	hiocqy.exe
3448	hiocqy.exe
5028	hiocqy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Monitor = "C:\\Program Files (x86)\\UPNP Monitor\\upnpmon.exe"	hiocqy.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hiocqy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4708 set thread context of 5028	4708	hiocqy.exe	83

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UPNP Monitor\upnpmon.exe	hiocqy.exe
File opened for modification	C:\Program Files (x86)\UPNP Monitor\upnpmon.exe	hiocqy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4896	schtasks.exe
1412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5028	hiocqy.exe
5028	hiocqy.exe
5028	hiocqy.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5028	hiocqy.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4708	hiocqy.exe
4708	hiocqy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	hiocqy.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4708	4800	TNT AWB TRACKING DETAILS.exe	80
PID 4800 wrote to memory of 4708	4800	TNT AWB TRACKING DETAILS.exe	80
PID 4800 wrote to memory of 4708	4800	TNT AWB TRACKING DETAILS.exe	80
PID 4708 wrote to memory of 3448	4708	hiocqy.exe	82
PID 4708 wrote to memory of 3448	4708	hiocqy.exe	82
PID 4708 wrote to memory of 3448	4708	hiocqy.exe	82
PID 4708 wrote to memory of 5028	4708	hiocqy.exe	83
PID 4708 wrote to memory of 5028	4708	hiocqy.exe	83
PID 4708 wrote to memory of 5028	4708	hiocqy.exe	83
PID 4708 wrote to memory of 5028	4708	hiocqy.exe	83
PID 5028 wrote to memory of 4896	5028	hiocqy.exe	84
PID 5028 wrote to memory of 4896	5028	hiocqy.exe	84
PID 5028 wrote to memory of 4896	5028	hiocqy.exe	84
PID 5028 wrote to memory of 1412	5028	hiocqy.exe	86
PID 5028 wrote to memory of 1412	5028	hiocqy.exe	86
PID 5028 wrote to memory of 1412	5028	hiocqy.exe	86

C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\hiocqy.exe
  "C:\Users\Admin\AppData\Local\Temp\hiocqy.exe" C:\Users\Admin\AppData\Local\Temp\tmzcv.ci
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\hiocqy.exe
    "C:\Users\Admin\AppData\Local\Temp\hiocqy.exe"
    3⤵
    - Executes dropped EXE
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\hiocqy.exe
    "C:\Users\Admin\AppData\Local\Temp\hiocqy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA2AD.tmp"
      4⤵
      Creates scheduled task(s)
      PID:4896
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "UPNP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA32B.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiocqy.exe

Filesize
90KB

MD5
ef249c312960cf6777685f4d4bf61b01

SHA1
86344ccbaa1f2d87e2d38dc08e0a07c95fd28361

SHA256
85a559430555eddb72eedcbd4616a63fd962b814d2c22756e5723105844ec446

SHA512
b12a4bf608c018e1c14d530c529780e83d6411d1684f02aadbd552e105d393cf9767d71342e5c5eefe97421a311e61e6347d75f6d4218de77877c38435e46223

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoclwkt.s

Filesize
301KB

MD5
81a3ecab425e8e50ada59ac5d4a01415

SHA1
e6d122d61f136c190139b9d03eb4e059aa7c865b

SHA256
efbd5085d28b795bf0d3d70283a8668ec5312a8daae4a5a6ccff2eab6893742e

SHA512
d5521c3381279c0a58ab23a438a987fd1383c572bb41eb24343fc127e820695d951d8151f00e3be64b01a003b8e46dea711bdcf9b1cd293280532c7bd45b5b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2AD.tmp

Filesize
1KB

MD5
c156dcb6b87cdedf6ef8b0001bea09e4

SHA1
df77b6f0bb9c8818807c080433b2f40ef8b8636e

SHA256
76289aedd6f2744e7c0c16f06609ee7a36fa35cdda7eda651f20a41fe99ae243

SHA512
cbd4bb5db72c28c7d7070a0f01fe264acc0c3003e2bf50c64f47930d30ce0ca23e7da811223b8e7a8cb52efb1e30bbc6d813a44eddc71a0978b3881ecf7d9a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA32B.tmp

Filesize
1KB

MD5
c9a4c783d2e18eea86e071de92f36f02

SHA1
4cb02db05386ccb70a23fa89dbadfddfc8f7b6af

SHA256
21d669a674eb23538f38f6822429d797e69e0685d18c0e6e03ec6801098b240a

SHA512
b6d5198d9ca83687fcc491c02ad8b417e02dff0150b514c3d39d13b8de9ffba6f3779ee7bb6350b087474fb6e0d1bd10b8fdd5c8f48a46c9cfd183d9045b80ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmzcv.ci

Filesize
5KB

MD5
fd89de32276854cef6b9d4563a4c7e0d

SHA1
2bedfbb03429151fbe576323811121a6ff7bf704

SHA256
c690ac0daf1c3662520cb911c16557d2fd270c59b04cc1db1d79b1cc0bdf6f17

SHA512
8f4d7e37eb5affb0ad2822057f6e6d7f6a18e174ea4f9077cd18632a5c137f32a3350ff1ac102f14d93aabdd1034bea3246a337567fcf26cd75828684cef82e8

Download Submit
memory/5028-144-0x0000000005170000-0x000000000520C000-memory.dmp

Filesize
624KB

Download
memory/5028-145-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/5028-143-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/5028-142-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5028-141-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads