nanocore | a8953f2dca5171e14663eefb973c1793decce1dcd6c7baa63081a3d681dbc1c1

General

Target

YWjESQ2siMOeTGY.exe
Size

1.2MB
MD5

2c9847c76f51b2c6a2fe2abe4a9c91f3
SHA1

e3d0facab5b7671ccdac2476a699ab2f817b4479
SHA256

a8953f2dca5171e14663eefb973c1793decce1dcd6c7baa63081a3d681dbc1c1
SHA512

a85c40c7033a7262cf063f38e845d223701b86d155ed29d12e353487384660dbe06d379de6741e778a939ef47ad8370b809f060108b42967394f8aaa7cd45b73
SSDEEP

24576:9A5IeDQd/XJwtr4Xqfbd3TFZNoDoAyfiF1geG68Nq9H9Z2839Y2YXC8bx7wwI3n2:25/QR5wtr4XEbvA+iF1geG68Nq9Hr286

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

win2020.zapto.org:10123

Mutex

34fa688f-c4d0-419c-ba07-1926952dc2c2

Attributes

activate_away_mode
true
backup_connection_host
win2020.zapto.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-01-06T07:29:23.375362136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
10123
default_group
built
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
34fa688f-c4d0-419c-ba07-1926952dc2c2
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
win2020.zapto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

YWjESQ2siMOeTGY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisv.exe"	YWjESQ2siMOeTGY.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

YWjESQ2siMOeTGY.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YWjESQ2siMOeTGY.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

YWjESQ2siMOeTGY.exe

description pid process target process

PID 1236 set thread context of 796 1236 YWjESQ2siMOeTGY.exe YWjESQ2siMOeTGY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	YWjESQ2siMOeTGY.exe

description	pid	process	target process
PID 1236 set thread context of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe

Drops file in Program Files directory 2 IoCs

Processes:

YWjESQ2siMOeTGY.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisv.exe	YWjESQ2siMOeTGY.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisv.exe	YWjESQ2siMOeTGY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

544 schtasks.exe

pid	process
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

YWjESQ2siMOeTGY.exepowershell.exepowershell.exeYWjESQ2siMOeTGY.exe

pid	process
1236	YWjESQ2siMOeTGY.exe
1236	YWjESQ2siMOeTGY.exe
1236	YWjESQ2siMOeTGY.exe
1236	YWjESQ2siMOeTGY.exe
1236	YWjESQ2siMOeTGY.exe
1236	YWjESQ2siMOeTGY.exe
1236	YWjESQ2siMOeTGY.exe
1236	YWjESQ2siMOeTGY.exe
276	powershell.exe
972	powershell.exe
796	YWjESQ2siMOeTGY.exe
796	YWjESQ2siMOeTGY.exe
796	YWjESQ2siMOeTGY.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

YWjESQ2siMOeTGY.exe

pid process

796 YWjESQ2siMOeTGY.exe

pid	process
796	YWjESQ2siMOeTGY.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

YWjESQ2siMOeTGY.exepowershell.exepowershell.exeYWjESQ2siMOeTGY.exe

description	pid	process
Token: SeDebugPrivilege	1236	YWjESQ2siMOeTGY.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	796	YWjESQ2siMOeTGY.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

YWjESQ2siMOeTGY.exe

description	pid	process	target process
PID 1236 wrote to memory of 276	1236	YWjESQ2siMOeTGY.exe	powershell.exe
PID 1236 wrote to memory of 276	1236	YWjESQ2siMOeTGY.exe	powershell.exe
PID 1236 wrote to memory of 276	1236	YWjESQ2siMOeTGY.exe	powershell.exe
PID 1236 wrote to memory of 276	1236	YWjESQ2siMOeTGY.exe	powershell.exe
PID 1236 wrote to memory of 972	1236	YWjESQ2siMOeTGY.exe	powershell.exe
PID 1236 wrote to memory of 972	1236	YWjESQ2siMOeTGY.exe	powershell.exe
PID 1236 wrote to memory of 972	1236	YWjESQ2siMOeTGY.exe	powershell.exe
PID 1236 wrote to memory of 972	1236	YWjESQ2siMOeTGY.exe	powershell.exe
PID 1236 wrote to memory of 544	1236	YWjESQ2siMOeTGY.exe	schtasks.exe
PID 1236 wrote to memory of 544	1236	YWjESQ2siMOeTGY.exe	schtasks.exe
PID 1236 wrote to memory of 544	1236	YWjESQ2siMOeTGY.exe	schtasks.exe
PID 1236 wrote to memory of 544	1236	YWjESQ2siMOeTGY.exe	schtasks.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe
PID 1236 wrote to memory of 796	1236	YWjESQ2siMOeTGY.exe	YWjESQ2siMOeTGY.exe

C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
"C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KAmVjfLsWgBU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KAmVjfLsWgBU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE64A.tmp"
2⤵
- Creates scheduled task(s)
PID:544

C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
"C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE64A.tmp
Filesize
1KB

MD5
7b86e531ae438416cce0ff0f6f5d3865

SHA1
65a58b06e9477c858be7583959b45ddae38b6cdc

SHA256
85d135e03d43d4078435ce0472ccc5f0c1ff52618433d92fe3b1c140f5b9ba05

SHA512
da865f1e7d9e11dbf3a80d0d25c9efdaaa5b96fb6fb9b6d672e17fe84d02eb99f34d8d3c78bb640fb1a7cbe3d8e8f1b489638f7d8f3f1bcdcdee1c944e3c4a67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PYBDRXWSVQZMYC857S3X.temp
Filesize
7KB

MD5
e61a8e237f9340612d4be8e7e791b45b

SHA1
0244d5c4674617081fb036d698e3e64bdd74b539

SHA256
0175aee8838a54fa91ded7f6c93a3ee6adcc56e6cf3d39b839ffa1450b90fd27

SHA512
6090fa75cda7b08af727fdfe20d204b8b9bb790ea524cb3146dc0f538bbe27cd35ca1d714b0e9e22541b98a27fbeb58b220c24b258798aa80c4f4241717b521a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e61a8e237f9340612d4be8e7e791b45b

SHA1
0244d5c4674617081fb036d698e3e64bdd74b539

SHA256
0175aee8838a54fa91ded7f6c93a3ee6adcc56e6cf3d39b839ffa1450b90fd27

SHA512
6090fa75cda7b08af727fdfe20d204b8b9bb790ea524cb3146dc0f538bbe27cd35ca1d714b0e9e22541b98a27fbeb58b220c24b258798aa80c4f4241717b521a

Download Submit
memory/276-89-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/796-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-87-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/796-86-0x0000000000560000-0x000000000057E000-memory.dmp

Filesize
120KB

Download
memory/796-85-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/796-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/972-88-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1236-54-0x0000000000090000-0x00000000001CE000-memory.dmp

Filesize
1.2MB

Download
memory/1236-59-0x0000000005770000-0x0000000005824000-memory.dmp

Filesize
720KB

Download
memory/1236-56-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/1236-57-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/1236-65-0x00000000043B0000-0x00000000043EC000-memory.dmp

Filesize
240KB

Download
memory/1236-58-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1236-55-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads