nanocore | 9513d2c4905f5dba6ce78a808b8598f1e82e4cbf72d29c45fb19d3bd9d747f2c

General

Target

sample.exe
Size

537KB
MD5

ebc1fb5d1234a75535d2bd270de47592
SHA1

9e4ac318e3e6c41a238ab312b7b21374f397f709
SHA256

9513d2c4905f5dba6ce78a808b8598f1e82e4cbf72d29c45fb19d3bd9d747f2c
SHA512

9988d7d62cac432d767d0dcc41ff8a8ab1667e6be04fd0d756d64a4523b0d2ae56b6cd5efd954af6dd9143ef6f140936d32cd32b03d02d7811ebbbfe4eb95204
SSDEEP

12288:4bTzK7if5f6T5JBXYvvYpGPBIHOALdRdJFIeyG8BsrUtWAWo:4bnSiBfo/UaHjxJFLUAAz

Score

10^/10

nanocore discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

213.152.161.138:6134

Mutex

4054ebf3-d582-4ffb-80b2-23ef41e1309d

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-12-25T10:24:18.372264136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6134
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4054ebf3-d582-4ffb-80b2-23ef41e1309d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
213.152.161.138
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Loads dropped DLL 1 IoCs

Processes:

sample.exe

pid process

2032 sample.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

sample.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Bremseklods\Fjernsynstekniker\Bruiser\Variorum.Sub sample.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1368 schtasks.exe
1920 schtasks.exe

pid	process
2032	sample.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Bremseklods\Fjernsynstekniker\Bruiser\Variorum.Sub	sample.exe

pid	process
1368	schtasks.exe
1920	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
2⤵
PID:344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
2⤵
PID:1936

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAAB4.tmp"
3⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAC2B.tmp"
3⤵
- Creates scheduled task(s)
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAAB4.tmp
Filesize
1KB

MD5
497f298fc157762f192a7c42854c6fb6

SHA1
04bec630f5cc64ea17c0e3e780b3ccf15a35c6e0

SHA256
3462cbe62fbb64fc53a0fcf97e43baafe9dd9929204f586a86afe4b89d8048a6

SHA512
c7c6fd3097f4d1ccd313160fedf7cb031644e0836b8c3e25481095e5f4b003759bc84fc6ea9421e3a090e66dc2ff875fec2f394a386691ab178cb164733411b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC2B.tmp
Filesize
1KB

MD5
179f6a368194b3d8490223f22126274b

SHA1
cc2997c7fde3cfe0dcf267bf3b6338a7e2ecf2d0

SHA256
cdfb59fb9dabcedf57f84d9b3ea596f6ce26f8c559b503b6980a42738cf2f4d8

SHA512
8b1c1b2a8db227db2e741171c29e4bfcaad2919665cde77eb5b4058b45fe7c78b46e2ef1bc5b896aa0e172219c4a43b647d68b62db39c8f51ac0ed159e4f042b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5E19.tmp\System.dll
Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
memory/1936-71-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1936-93-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1936-95-0x00000000013E0000-0x0000000005421000-memory.dmp

Filesize
64.3MB

Download
memory/1936-96-0x0000000035880000-0x00000000358C0000-memory.dmp

Filesize
256KB

Download
memory/1936-105-0x0000000035880000-0x00000000358C0000-memory.dmp

Filesize
256KB

Download
memory/1936-107-0x0000000035880000-0x00000000358C0000-memory.dmp

Filesize
256KB

Download
memory/1936-109-0x0000000035880000-0x00000000358C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads