nanocore | ffc0d656f87a8cd4ca271e5ae5789b27dcc46ba7ea2cacbf5b68b055c0b51ca7

General

Target

FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe
Size

744KB
MD5

e268b3e2ea0c4dbe8e3378e8c740505c
SHA1

82686ab008207edb6fc2c9e5212f79e9dbffe2f0
SHA256

ffc0d656f87a8cd4ca271e5ae5789b27dcc46ba7ea2cacbf5b68b055c0b51ca7
SHA512

03ec23d45470497e9afa83f5e6ea1365315dfe7bf4710821cb2de8889f64f4d0920bced62a2b309dc505281247d935e59123f5cac7a7fe5ef61cb83388075b89
SSDEEP

12288:MM6xLEOj+xK2kMMUVxoaD86f51vi6I5Vjv8T7GdalA4+Xraw+K+y:Mdn+xK2UUYyj8sT7GkqrL+Xy

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

podzeye.duckdns.org:333

Mutex

f5a68195-4eaf-46b6-9e81-822beb669637

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-02-09T22:47:39.789872836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
333
default_group
Hacks
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f5a68195-4eaf-46b6-9e81-822beb669637
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
podzeye.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe
2000	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe
2000	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe
Token: SeDebugPrivilege	2000	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1640	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	27
PID 924 wrote to memory of 1640	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	27
PID 924 wrote to memory of 1640	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	27
PID 924 wrote to memory of 1640	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	27
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29
PID 924 wrote to memory of 2000	924	FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe	29

C:\Users\Admin\AppData\Local\Temp\FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe
"C:\Users\Admin\AppData\Local\Temp\FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HIjCCVqmLRYqLa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFAB4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe
  "C:\Users\Admin\AppData\Local\Temp\FFC0D656F87A8CD4CA271E5AE5789B27DCC46BA7EA2CA.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFAB4.tmp

Filesize
1KB

MD5
c997e1d62d49673af40de5cd75ce540a

SHA1
3f07958ae25c32010884ad2e3194c6c44f795706

SHA256
5f36e0a6a7defc1e3168e611a95198af76afc948179928cac85a742070ad3f03

SHA512
af46b8d40e6551079d2d9b7cac728932d969145232ba75ea515d7caa2d2cc275a103fc51b391b0b983f4a0c96dd65b553588212f29aed0dccaf3fe4c2ca94530

Download Submit
memory/924-54-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/924-55-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/924-56-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/2000-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2000-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2000-73-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2000-74-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads