nanocore | 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef

General

Target

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
Size

461KB
MD5

5c1b6e8b6457c4c20025b35f84a3b4cb
SHA1

78a29561ed2069fd539e06606b1b6dd93a24f0d1
SHA256

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef
SHA512

674a09252391f01b70ab931b930d7f05fd8b1879c5ecea8cd89482cf34dfb991a9ba735952b323e4f839601f45d85f4bdad91d70fc08f8aa5d28822f543124c4
SSDEEP

12288:snaTZ1Yqu84rYqFPrGkEgiyiZ+/RTuRhtd:snKNu8qYszGkEHkMtd

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

zafar101.duckdns.org:8779

Mutex

f3e2761c-8ffb-415b-b6b5-024a2ef9ff3e

Attributes

activate_away_mode
true
backup_connection_host
zafar101.duckdns.org
backup_dns_server
zafar101.duckdns.org
buffer_size
65535
build_time
2022-08-13T10:33:19.772981836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8779
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f3e2761c-8ffb-415b-b6b5-024a2ef9ff3e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
zafar101.duckdns.org
primary_dns_server
zafar101.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Monitor = "C:\\Program Files (x86)\\SAAS Monitor\\saasmon.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

description	pid	process	target process
PID 2616 set thread context of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\SAAS Monitor\saasmon.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\SAAS Monitor\saasmon.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2200 schtasks.exe
4800 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RegSvcs.exe

pid process

676 RegSvcs.exe
676 RegSvcs.exe
676 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

676 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 676 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

pid process

2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

pid	process
2200	schtasks.exe
4800	schtasks.exe

pid	process
676	RegSvcs.exe
676	RegSvcs.exe
676	RegSvcs.exe

pid	process
676	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	676	RegSvcs.exe

pid	process
2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exeRegSvcs.exe

description	pid	process	target process
PID 2616 wrote to memory of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 2616 wrote to memory of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 2616 wrote to memory of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 2616 wrote to memory of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 2616 wrote to memory of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 2616 wrote to memory of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 2616 wrote to memory of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 2616 wrote to memory of 676	2616	765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe	RegSvcs.exe
PID 676 wrote to memory of 2200	676	RegSvcs.exe	schtasks.exe
PID 676 wrote to memory of 2200	676	RegSvcs.exe	schtasks.exe
PID 676 wrote to memory of 2200	676	RegSvcs.exe	schtasks.exe
PID 676 wrote to memory of 4800	676	RegSvcs.exe	schtasks.exe
PID 676 wrote to memory of 4800	676	RegSvcs.exe	schtasks.exe
PID 676 wrote to memory of 4800	676	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
"C:\Users\Admin\AppData\Local\Temp\765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SAAS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCEDE.tmp"
3⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SAAS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD017.tmp"
3⤵
- Creates scheduled task(s)
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCEDE.tmp
Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD017.tmp
Filesize
1KB

MD5
8a92e4176a36b704a55c4888e04853e2

SHA1
6efbd8d0097e2632ca90083974b845f93e5b6a5c

SHA256
91f88494715f51246ed7255ad4bba50e2f5dec26bef203f31450a6a8e1443cdd

SHA512
4ea87f28391b022cfad5e0f695c2413a5addb18a6e9fdf9c56c4121253cf6e532110da8200b1c57b43ee85ed047f1530b1516a7c689c9574af069176114fa157

Download Submit
memory/676-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/676-140-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/676-141-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/676-142-0x00000000059E0000-0x0000000005A7C000-memory.dmp

Filesize
624KB

Download
memory/676-143-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/676-144-0x0000000005870000-0x000000000587A000-memory.dmp

Filesize
40KB

Download
memory/676-152-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/676-153-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/676-154-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads