nanocore | a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f

Analysis

max time kernel
141s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1017fcdd21ff4ee2a5ac3d90b680d2fe.exe
Size

627KB
MD5

1017fcdd21ff4ee2a5ac3d90b680d2fe
SHA1

b9e040314eb74c24ad9f42ce37032ad238a37649
SHA256

a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f
SHA512

a14a8ba5d52b4e206fe25dd7f889061baf6d56f2fface2121254bf3b3ba24062d342d0f196347af6055261961b1a9b56a8b8b52c3f65843ed3c32e30644384db
SSDEEP

12288:pToPWBv/cpGrU3yJDwlNm2n+d6twT2/FRXJbIMp8NDSjt/:pTbBv5rUGGm5UtwT29EMp8J+/

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

justkowir.duckdns.org:8550

Mutex

513a9907-f4ca-4a36-8f25-fcb7088c00a5

Attributes

activate_away_mode
true
backup_connection_host
justkowir.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-01-03T15:53:14.690945336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8550
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
513a9907-f4ca-4a36-8f25-fcb7088c00a5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
justkowir.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

fpipnlvahva.exefpipnlvahva.exe

pid process

1684 fpipnlvahva.exe
564 fpipnlvahva.exe

pid	process
1684	fpipnlvahva.exe
564	fpipnlvahva.exe

Loads dropped DLL 12 IoCs

Processes:

1017fcdd21ff4ee2a5ac3d90b680d2fe.exefpipnlvahva.exefpipnlvahva.exeWerFault.exe

pid	process
1304	1017fcdd21ff4ee2a5ac3d90b680d2fe.exe
1304	1017fcdd21ff4ee2a5ac3d90b680d2fe.exe
1304	1017fcdd21ff4ee2a5ac3d90b680d2fe.exe
1304	1017fcdd21ff4ee2a5ac3d90b680d2fe.exe
1684	fpipnlvahva.exe
1684	fpipnlvahva.exe
1696	fpipnlvahva.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fpipnlvahva.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\iimn = "C:\\Users\\Admin\\AppData\\Roaming\\riyheotkjtu\\amrhioao.exe"	fpipnlvahva.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

fpipnlvahva.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fpipnlvahva.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

fpipnlvahva.exe

description pid process target process

PID 1684 set thread context of 1696 1684 fpipnlvahva.exe fpipnlvahva.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1988 1684 WerFault.exe fpipnlvahva.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fpipnlvahva.exe

pid process

1696 fpipnlvahva.exe
1696 fpipnlvahva.exe
1696 fpipnlvahva.exe
1696 fpipnlvahva.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fpipnlvahva.exe

pid process

1696 fpipnlvahva.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fpipnlvahva.exe

description pid process

Token: SeDebugPrivilege 1696 fpipnlvahva.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fpipnlvahva.exe

description	pid	process	target process
PID 1684 set thread context of 1696	1684	fpipnlvahva.exe	fpipnlvahva.exe

pid	pid_target	process	target process
1988	1684	WerFault.exe	fpipnlvahva.exe

pid	process
1696	fpipnlvahva.exe
1696	fpipnlvahva.exe
1696	fpipnlvahva.exe
1696	fpipnlvahva.exe

pid	process
1696	fpipnlvahva.exe

description	pid	process
Token: SeDebugPrivilege	1696	fpipnlvahva.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1017fcdd21ff4ee2a5ac3d90b680d2fe.exefpipnlvahva.exe

description	pid	process	target process
PID 1304 wrote to memory of 1684	1304	1017fcdd21ff4ee2a5ac3d90b680d2fe.exe	fpipnlvahva.exe
PID 1304 wrote to memory of 1684	1304	1017fcdd21ff4ee2a5ac3d90b680d2fe.exe	fpipnlvahva.exe
PID 1304 wrote to memory of 1684	1304	1017fcdd21ff4ee2a5ac3d90b680d2fe.exe	fpipnlvahva.exe
PID 1304 wrote to memory of 1684	1304	1017fcdd21ff4ee2a5ac3d90b680d2fe.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 564	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 564	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 564	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 564	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 1696	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 1696	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 1696	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 1696	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 1696	1684	fpipnlvahva.exe	fpipnlvahva.exe
PID 1684 wrote to memory of 1988	1684	fpipnlvahva.exe	WerFault.exe
PID 1684 wrote to memory of 1988	1684	fpipnlvahva.exe	WerFault.exe
PID 1684 wrote to memory of 1988	1684	fpipnlvahva.exe	WerFault.exe
PID 1684 wrote to memory of 1988	1684	fpipnlvahva.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1017fcdd21ff4ee2a5ac3d90b680d2fe.exe
"C:\Users\Admin\AppData\Local\Temp\1017fcdd21ff4ee2a5ac3d90b680d2fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
"C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
"C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe"
3⤵
- Executes dropped EXE
PID:564

C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
"C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe"
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 188
3⤵
- Loads dropped DLL
- Program crash
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ajzuctgwhq.rm
Filesize
6KB

MD5
653b6698f08c05f61382fd9abb47d3ff

SHA1
5b5a6dbe0f2a4dfe96a942e59e7530e398735526

SHA256
a8ead7b3bbd1c745ddf6bdd56754abef6c0b1e5c89c307a9a96271cf60b8a204

SHA512
f7e12a7fba40c14df31e52f25c763bd665e67ae3cf1d225fa102a7b1617fa3d4738cdcda3a9d0d6102abedd69be12c048d208d6e2a568257e86315e74c4d413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdruo.j
Filesize
280KB

MD5
4b6c6f48f5821d454e178621b0e1ac81

SHA1
31ea40a6563dc7b0007faf50de68e2f52dded053

SHA256
d8d01e1f71f56f8d39386e5346efac30fe9480370974127e409d61b648cd7afd

SHA512
88487b71d1558a0dce462b71244452db14c37878ff44dde9935d304b23c6cf9c73f38795ddcfbbaf0d9e9cc9f7ce585d054f2b24e7ba7610119ba7f240ef75ce

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
\Users\Admin\AppData\Local\Temp\fpipnlvahva.exe
Filesize
56KB

MD5
87db5b2fefc7222378a104d7f19a2fe6

SHA1
3b8cee98e2c9995b1f272a440a579292ad1494fb

SHA256
0a35fca48936fd55902f1c27b15232bb77dc3b8ddaf51717d537c7d51480c5e0

SHA512
5f63bbf8e89228e8e6d2c906caf1699ef8029c285066520728077b926dc15943d88a7551e404e67e8b3070204ec6615a77ee46ceae1e2f3cc574a6e16302a3c4

Download Submit
memory/1684-87-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1696-101-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/1696-111-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1696-100-0x00000000007E0000-0x00000000007EE000-memory.dmp

Filesize
56KB

Download
memory/1696-93-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/1696-95-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1696-94-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1696-98-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1696-99-0x0000000000670000-0x000000000068A000-memory.dmp

Filesize
104KB

Download
memory/1696-92-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/1696-91-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/1696-103-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/1696-102-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/1696-104-0x00000000008B0000-0x00000000008C4000-memory.dmp

Filesize
80KB

Download
memory/1696-105-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/1696-106-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download
memory/1696-107-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download
memory/1696-108-0x00000000023D0000-0x00000000023FE000-memory.dmp

Filesize
184KB

Download
memory/1696-109-0x0000000000CB0000-0x0000000000CC4000-memory.dmp

Filesize
80KB

Download
memory/1696-89-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download