nanocore | e5f45dcbcb58804732fa0164097f0be61c5e3b30594eea1a726f82e4d1e68858

General

Target

1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe
Size

369KB
MD5

43209bda3c2993ca22a38d243a8e7747
SHA1

a684fb8f5063e5f130fff32d668741c3cc016698
SHA256

1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4
SHA512

d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa
SSDEEP

6144:m7XJ+YM8OJ7mEkoAUz1qp2fHmiIth7PkQm1aZX4:mN+Y47myAUzUseicPlN

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

blessed1234.duckdns.org:2023

Mutex

a8941196-a5c4-4b0f-ba02-65265f59a258

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-12-30T14:36:15.993957836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2023
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
a8941196-a5c4-4b0f-ba02-65265f59a258
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
blessed1234.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

524 svchost.exe
2160 svchost.exe
1228 svchost.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

pid	process
524	svchost.exe
2160	svchost.exe
1228	svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1456 set thread context of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 524 set thread context of 2480	524	svchost.exe	RegAsm.exe
PID 2160 set thread context of 3552	2160	svchost.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4012 schtasks.exe
3348 schtasks.exe
544 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exe

pid process

4676 RegAsm.exe
4676 RegAsm.exe
4676 RegAsm.exe
4676 RegAsm.exe
4676 RegAsm.exe
4676 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

4676 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 4676 RegAsm.exe

pid	process
4012	schtasks.exe
3348	schtasks.exe
544	schtasks.exe

pid	process
4676	RegAsm.exe
4676	RegAsm.exe
4676	RegAsm.exe
4676	RegAsm.exe
4676	RegAsm.exe
4676	RegAsm.exe

pid	process
4676	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4676	RegAsm.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.execmd.exesvchost.execmd.exesvchost.execmd.exe

description	pid	process	target process
PID 1456 wrote to memory of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 1456 wrote to memory of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 1456 wrote to memory of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 1456 wrote to memory of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 1456 wrote to memory of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 1456 wrote to memory of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 1456 wrote to memory of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 1456 wrote to memory of 4676	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	RegAsm.exe
PID 1456 wrote to memory of 1692	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 1456 wrote to memory of 1692	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 1456 wrote to memory of 1692	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 1456 wrote to memory of 4464	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 1456 wrote to memory of 4464	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 1456 wrote to memory of 4464	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 1456 wrote to memory of 2764	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 1456 wrote to memory of 2764	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 1456 wrote to memory of 2764	1456	1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe	cmd.exe
PID 4464 wrote to memory of 3348	4464	cmd.exe	schtasks.exe
PID 4464 wrote to memory of 3348	4464	cmd.exe	schtasks.exe
PID 4464 wrote to memory of 3348	4464	cmd.exe	schtasks.exe
PID 524 wrote to memory of 2480	524	svchost.exe	RegAsm.exe
PID 524 wrote to memory of 2480	524	svchost.exe	RegAsm.exe
PID 524 wrote to memory of 2480	524	svchost.exe	RegAsm.exe
PID 524 wrote to memory of 2480	524	svchost.exe	RegAsm.exe
PID 524 wrote to memory of 2480	524	svchost.exe	RegAsm.exe
PID 524 wrote to memory of 2480	524	svchost.exe	RegAsm.exe
PID 524 wrote to memory of 2480	524	svchost.exe	RegAsm.exe
PID 524 wrote to memory of 2480	524	svchost.exe	RegAsm.exe
PID 524 wrote to memory of 560	524	svchost.exe	cmd.exe
PID 524 wrote to memory of 560	524	svchost.exe	cmd.exe
PID 524 wrote to memory of 560	524	svchost.exe	cmd.exe
PID 524 wrote to memory of 568	524	svchost.exe	cmd.exe
PID 524 wrote to memory of 568	524	svchost.exe	cmd.exe
PID 524 wrote to memory of 568	524	svchost.exe	cmd.exe
PID 524 wrote to memory of 1644	524	svchost.exe	cmd.exe
PID 524 wrote to memory of 1644	524	svchost.exe	cmd.exe
PID 524 wrote to memory of 1644	524	svchost.exe	cmd.exe
PID 568 wrote to memory of 544	568	cmd.exe	schtasks.exe
PID 568 wrote to memory of 544	568	cmd.exe	schtasks.exe
PID 568 wrote to memory of 544	568	cmd.exe	schtasks.exe
PID 2160 wrote to memory of 3552	2160	svchost.exe	RegAsm.exe
PID 2160 wrote to memory of 3552	2160	svchost.exe	RegAsm.exe
PID 2160 wrote to memory of 3552	2160	svchost.exe	RegAsm.exe
PID 2160 wrote to memory of 3552	2160	svchost.exe	RegAsm.exe
PID 2160 wrote to memory of 3552	2160	svchost.exe	RegAsm.exe
PID 2160 wrote to memory of 3552	2160	svchost.exe	RegAsm.exe
PID 2160 wrote to memory of 3552	2160	svchost.exe	RegAsm.exe
PID 2160 wrote to memory of 3552	2160	svchost.exe	RegAsm.exe
PID 2160 wrote to memory of 684	2160	svchost.exe	cmd.exe
PID 2160 wrote to memory of 684	2160	svchost.exe	cmd.exe
PID 2160 wrote to memory of 684	2160	svchost.exe	cmd.exe
PID 2160 wrote to memory of 3052	2160	svchost.exe	cmd.exe
PID 2160 wrote to memory of 3052	2160	svchost.exe	cmd.exe
PID 2160 wrote to memory of 3052	2160	svchost.exe	cmd.exe
PID 2160 wrote to memory of 368	2160	svchost.exe	cmd.exe
PID 2160 wrote to memory of 368	2160	svchost.exe	cmd.exe
PID 2160 wrote to memory of 368	2160	svchost.exe	cmd.exe
PID 3052 wrote to memory of 4012	3052	cmd.exe	schtasks.exe
PID 3052 wrote to memory of 4012	3052	cmd.exe	schtasks.exe
PID 3052 wrote to memory of 4012	3052	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe
"C:\Users\Admin\AppData\Local\Temp\1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3348

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:544

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:1644

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4012

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:368

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
Filesize
517B

MD5
13f84b613e6a4dd2d82f7c44b2295a04

SHA1
f9e07213c2825ecb28e732f3e66e07625747c4b3

SHA256
d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33

SHA512
3a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
369KB

MD5
43209bda3c2993ca22a38d243a8e7747

SHA1
a684fb8f5063e5f130fff32d668741c3cc016698

SHA256
1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4

SHA512
d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
369KB

MD5
43209bda3c2993ca22a38d243a8e7747

SHA1
a684fb8f5063e5f130fff32d668741c3cc016698

SHA256
1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4

SHA512
d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
369KB

MD5
43209bda3c2993ca22a38d243a8e7747

SHA1
a684fb8f5063e5f130fff32d668741c3cc016698

SHA256
1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4

SHA512
d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
369KB

MD5
43209bda3c2993ca22a38d243a8e7747

SHA1
a684fb8f5063e5f130fff32d668741c3cc016698

SHA256
1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4

SHA512
d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa

Download Submit
memory/1456-134-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1456-135-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/1456-133-0x0000000000A10000-0x0000000000A72000-memory.dmp

Filesize
392KB

Download
memory/2480-154-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/3552-160-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/4676-140-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/4676-149-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/4676-145-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/4676-143-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/4676-142-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/4676-141-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/4676-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads