nanocore | 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef

General

Target

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
Size

461KB
MD5

5c1b6e8b6457c4c20025b35f84a3b4cb
SHA1

78a29561ed2069fd539e06606b1b6dd93a24f0d1
SHA256

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef
SHA512

674a09252391f01b70ab931b930d7f05fd8b1879c5ecea8cd89482cf34dfb991a9ba735952b323e4f839601f45d85f4bdad91d70fc08f8aa5d28822f543124c4
SSDEEP

12288:snaTZ1Yqu84rYqFPrGkEgiyiZ+/RTuRhtd:snKNu8qYszGkEHkMtd

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

zafar101.duckdns.org:8779

Mutex

f3e2761c-8ffb-415b-b6b5-024a2ef9ff3e

Attributes

activate_away_mode
true
backup_connection_host
zafar101.duckdns.org
backup_dns_server
zafar101.duckdns.org
buffer_size
65535
build_time
2022-08-13T10:33:19.772981836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8779
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f3e2761c-8ffb-415b-b6b5-024a2ef9ff3e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
zafar101.duckdns.org
primary_dns_server
zafar101.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Subsystem = "C:\\Program Files (x86)\\ARP Subsystem\\arpss.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

description	pid	process	target process
PID 920 set thread context of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Subsystem\arpss.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\ARP Subsystem\arpss.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2032 schtasks.exe
1936 schtasks.exe

pid	process
2032	schtasks.exe
1936	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RegSvcs.exe

pid process

1540 RegSvcs.exe
1540 RegSvcs.exe
1540 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

1540 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1540 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

pid process

920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

pid	process
1540	RegSvcs.exe
1540	RegSvcs.exe
1540	RegSvcs.exe

pid	process
1540	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1540	RegSvcs.exe

pid	process
920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exeRegSvcs.exe

description	pid	process	target process
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 920 wrote to memory of 1540	920	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 1540 wrote to memory of 1936	1540	RegSvcs.exe	schtasks.exe
PID 1540 wrote to memory of 1936	1540	RegSvcs.exe	schtasks.exe
PID 1540 wrote to memory of 1936	1540	RegSvcs.exe	schtasks.exe
PID 1540 wrote to memory of 1936	1540	RegSvcs.exe	schtasks.exe
PID 1540 wrote to memory of 2032	1540	RegSvcs.exe	schtasks.exe
PID 1540 wrote to memory of 2032	1540	RegSvcs.exe	schtasks.exe
PID 1540 wrote to memory of 2032	1540	RegSvcs.exe	schtasks.exe
PID 1540 wrote to memory of 2032	1540	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
"C:\Users\Admin\AppData\Local\Temp\765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB08B.tmp"
3⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE255.tmp"
3⤵
- Creates scheduled task(s)
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB08B.tmp
Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
memory/1540-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1540-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1540-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1540-77-0x0000000000BC0000-0x0000000000C00000-memory.dmp

Filesize
256KB

Download
memory/1540-79-0x0000000000BC0000-0x0000000000C00000-memory.dmp

Filesize
256KB

Download
memory/1540-82-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/1540-83-0x0000000000630000-0x000000000064E000-memory.dmp

Filesize
120KB

Download
memory/1540-84-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1540-85-0x0000000000BC0000-0x0000000000C00000-memory.dmp

Filesize
256KB

Download
memory/1540-86-0x0000000000BC0000-0x0000000000C00000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads