nanocore | b8d747db69fac284ccfeab921f8e06b6403763914b776ff518e6d3643ed9056d

General

Target

0d3ec9b2b95b32cc6c1746330ad5ec5e.exe
Size

355KB
MD5

0d3ec9b2b95b32cc6c1746330ad5ec5e
SHA1

f22822dd82e49f633eb136fd5ee717b6d75adf0a
SHA256

b8d747db69fac284ccfeab921f8e06b6403763914b776ff518e6d3643ed9056d
SHA512

e58c64de7d97cab2d23b2b8a41edaeffadf9f6edbc383ccc729cb82efa4ad1f2c340866920a6162a62f6bd348098196ef13e4627d157461ca613f24ecad1774e
SSDEEP

6144:tYa6aWhvrWv60yRwUVUpR7wmPsLx/v7v+YPDQ7i+e30uJW2nunCgWCfani:tY4WRWzyRwnRkmIb2kQ7iL0uJFmfX

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

bouricrat.duckdns.org:6445

Mutex

351a9355-099d-4d8e-aef5-126657425e1b

Attributes

activate_away_mode
true
backup_connection_host
bouricrat.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-11-20T03:15:20.565935636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6445
default_group
Vitalz
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
351a9355-099d-4d8e-aef5-126657425e1b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
bouricrat.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
2084	eqjwzt.exe
4748	eqjwzt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbwgpluqajf = "C:\\Users\\Admin\\AppData\\Roaming\\yirnwsclhqavfb\\ktpxhdmi.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\eqjwzt.exe\" C:\\Users\\Admin\\AppData\\L"	eqjwzt.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eqjwzt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 4748	2084	eqjwzt.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4748	eqjwzt.exe
4748	eqjwzt.exe
4748	eqjwzt.exe
4748	eqjwzt.exe
4748	eqjwzt.exe
4748	eqjwzt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4748	eqjwzt.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2084	eqjwzt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	eqjwzt.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2084	5012	0d3ec9b2b95b32cc6c1746330ad5ec5e.exe	78
PID 5012 wrote to memory of 2084	5012	0d3ec9b2b95b32cc6c1746330ad5ec5e.exe	78
PID 5012 wrote to memory of 2084	5012	0d3ec9b2b95b32cc6c1746330ad5ec5e.exe	78
PID 2084 wrote to memory of 4748	2084	eqjwzt.exe	80
PID 2084 wrote to memory of 4748	2084	eqjwzt.exe	80
PID 2084 wrote to memory of 4748	2084	eqjwzt.exe	80
PID 2084 wrote to memory of 4748	2084	eqjwzt.exe	80

C:\Users\Admin\AppData\Local\Temp\0d3ec9b2b95b32cc6c1746330ad5ec5e.exe
"C:\Users\Admin\AppData\Local\Temp\0d3ec9b2b95b32cc6c1746330ad5ec5e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\eqjwzt.exe
  "C:\Users\Admin\AppData\Local\Temp\eqjwzt.exe" C:\Users\Admin\AppData\Local\Temp\mdxhfo.hl
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\eqjwzt.exe
    "C:\Users\Admin\AppData\Local\Temp\eqjwzt.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eqjwzt.exe

Filesize
67KB

MD5
e055e15c177435585aadd61ee4f0b9db

SHA1
4e9ff8b8a8d4be401a0fe93c1736bd9dacfa2b52

SHA256
4dbf2bec82307bbf3be4196be3cb2154e226eee77faa12a2ac721523cbbc121b

SHA512
a1d177df5e82a3cc7dc2e2100565a538d0bce6d33ab9476dc5249fe89ffbccc3b7bc07e00bcb352e74bd33a80b7ec0b63650257eba197ad1a14d107339e5d1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqjwzt.exe

Filesize
67KB

MD5
e055e15c177435585aadd61ee4f0b9db

SHA1
4e9ff8b8a8d4be401a0fe93c1736bd9dacfa2b52

SHA256
4dbf2bec82307bbf3be4196be3cb2154e226eee77faa12a2ac721523cbbc121b

SHA512
a1d177df5e82a3cc7dc2e2100565a538d0bce6d33ab9476dc5249fe89ffbccc3b7bc07e00bcb352e74bd33a80b7ec0b63650257eba197ad1a14d107339e5d1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqjwzt.exe

Filesize
67KB

MD5
e055e15c177435585aadd61ee4f0b9db

SHA1
4e9ff8b8a8d4be401a0fe93c1736bd9dacfa2b52

SHA256
4dbf2bec82307bbf3be4196be3cb2154e226eee77faa12a2ac721523cbbc121b

SHA512
a1d177df5e82a3cc7dc2e2100565a538d0bce6d33ab9476dc5249fe89ffbccc3b7bc07e00bcb352e74bd33a80b7ec0b63650257eba197ad1a14d107339e5d1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdxhfo.hl

Filesize
7KB

MD5
8698d6ff105a36bc033f009dffe09adc

SHA1
f9996c1816ad7f4fef87ba49eec25d5239dfe71b

SHA256
9347befdf8e278e0e193707ceb04c9c33bf069d0dba3637be564b26bf86e4ba1

SHA512
28b19ff2f464e8b2734cb3d5511d83317e81219980c5fa81c5e65d7520769b7ecc569722e2bed251c38f87dbe9b6c239bb3d467bb4fe8659bff374338247b0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scimhhq.xar

Filesize
300KB

MD5
39eddad3f3337d93773855a6a774732a

SHA1
a32f1fb57a9702d86d800a0da76f9941c3aa2f74

SHA256
c9e51ce3b7d9cced04b9a18f18d608e0728380790952a452d633a454031ee8c5

SHA512
8bbd5c504726b8cd358f7a86f1eec00fdcc0da0931cc45284bf709964babb4d858ca64df5b53731829c3da4925d894b6190f6fe67131ebc10f9b19927ba3fd41

Download Submit
memory/4748-139-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4748-140-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/4748-141-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing