nanocore | 7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32

General

Target

129940eb6b4747b1569e7da5f37157db.exe
Size

762KB
MD5

129940eb6b4747b1569e7da5f37157db
SHA1

833dbea5d5f6f2b6bf1f24d9ca2c6d807804b6d9
SHA256

7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32
SHA512

3272119368abc30454d2ff1f4430aa30b2f0e71999f4c32dceae7b28d925210f3d79d1f50ae797270f2641c5d5f8344cb6728fdbbfb4654cf829778e68086d68
SSDEEP

12288:z1VLXCxGmsXPqiPnXkATcCPqcPRh17SMJU9fkPCldfKVWjzDYRw6gXZjZ81GidIL:RVLXkGXPqiPnXkAICx5hxSM68ydSqHp7

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

iyhto.ddns.net:3531

Mutex

42c7bb0d-2a49-4c9a-b8e7-5ee248f484c7

Attributes

activate_away_mode
true
backup_connection_host
iyhto.ddns.net
backup_dns_server
buffer_size
65535
build_time
2020-08-18T04:21:38.557873036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3531
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
42c7bb0d-2a49-4c9a-b8e7-5ee248f484c7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
iyhto.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

129940eb6b4747b1569e7da5f37157db.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	129940eb6b4747b1569e7da5f37157db.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

129940eb6b4747b1569e7da5f37157db.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Host = "C:\\Program Files (x86)\\DPI Host\\dpihost.exe"	129940eb6b4747b1569e7da5f37157db.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

129940eb6b4747b1569e7da5f37157db.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	129940eb6b4747b1569e7da5f37157db.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

129940eb6b4747b1569e7da5f37157db.exe

description pid process target process

PID 2028 set thread context of 3480 2028 129940eb6b4747b1569e7da5f37157db.exe 129940eb6b4747b1569e7da5f37157db.exe

description	pid	process	target process
PID 2028 set thread context of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe

Drops file in Program Files directory 2 IoCs

Processes:

129940eb6b4747b1569e7da5f37157db.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Host\dpihost.exe	129940eb6b4747b1569e7da5f37157db.exe
File opened for modification	C:\Program Files (x86)\DPI Host\dpihost.exe	129940eb6b4747b1569e7da5f37157db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1492 schtasks.exe

pid	process
1492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

129940eb6b4747b1569e7da5f37157db.exepowershell.exe129940eb6b4747b1569e7da5f37157db.exe

pid	process
2028	129940eb6b4747b1569e7da5f37157db.exe
2028	129940eb6b4747b1569e7da5f37157db.exe
3848	powershell.exe
3848	powershell.exe
3480	129940eb6b4747b1569e7da5f37157db.exe
3480	129940eb6b4747b1569e7da5f37157db.exe
3480	129940eb6b4747b1569e7da5f37157db.exe
3480	129940eb6b4747b1569e7da5f37157db.exe
3480	129940eb6b4747b1569e7da5f37157db.exe
3480	129940eb6b4747b1569e7da5f37157db.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

129940eb6b4747b1569e7da5f37157db.exe

pid process

3480 129940eb6b4747b1569e7da5f37157db.exe

pid	process
3480	129940eb6b4747b1569e7da5f37157db.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

129940eb6b4747b1569e7da5f37157db.exepowershell.exe129940eb6b4747b1569e7da5f37157db.exe

description	pid	process
Token: SeDebugPrivilege	2028	129940eb6b4747b1569e7da5f37157db.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3480	129940eb6b4747b1569e7da5f37157db.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

129940eb6b4747b1569e7da5f37157db.exe

description	pid	process	target process
PID 2028 wrote to memory of 3848	2028	129940eb6b4747b1569e7da5f37157db.exe	powershell.exe
PID 2028 wrote to memory of 3848	2028	129940eb6b4747b1569e7da5f37157db.exe	powershell.exe
PID 2028 wrote to memory of 3848	2028	129940eb6b4747b1569e7da5f37157db.exe	powershell.exe
PID 2028 wrote to memory of 1492	2028	129940eb6b4747b1569e7da5f37157db.exe	schtasks.exe
PID 2028 wrote to memory of 1492	2028	129940eb6b4747b1569e7da5f37157db.exe	schtasks.exe
PID 2028 wrote to memory of 1492	2028	129940eb6b4747b1569e7da5f37157db.exe	schtasks.exe
PID 2028 wrote to memory of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe
PID 2028 wrote to memory of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe
PID 2028 wrote to memory of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe
PID 2028 wrote to memory of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe
PID 2028 wrote to memory of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe
PID 2028 wrote to memory of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe
PID 2028 wrote to memory of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe
PID 2028 wrote to memory of 3480	2028	129940eb6b4747b1569e7da5f37157db.exe	129940eb6b4747b1569e7da5f37157db.exe

C:\Users\Admin\AppData\Local\Temp\129940eb6b4747b1569e7da5f37157db.exe
"C:\Users\Admin\AppData\Local\Temp\129940eb6b4747b1569e7da5f37157db.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QDciObviIKfRDf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QDciObviIKfRDf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1BA6.tmp"
2⤵
- Creates scheduled task(s)
PID:1492

C:\Users\Admin\AppData\Local\Temp\129940eb6b4747b1569e7da5f37157db.exe
"C:\Users\Admin\AppData\Local\Temp\129940eb6b4747b1569e7da5f37157db.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\129940eb6b4747b1569e7da5f37157db.exe.log
Filesize
1KB

MD5
36049bae97bba745c793444373453cb0

SHA1
eb6e9a822944e8e207abba1a5e53f0183a1684f1

SHA256
839fa1f9725719938ffa24533587b168bae2768f23ac09dccb3ad4ab8ae6abcd

SHA512
a6584b7b435afeffb6becfbed82517087030eb23534fa50deecd02330bf36d633ba22e979e36b9c27e35885f9cc1cc9481dadc53cc265be61391e11a7c2c7cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1iuygzp.qpr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1BA6.tmp
Filesize
1KB

MD5
e8f8b0aaa0ce8bc33f1fffe19b9b986a

SHA1
d772a6a2dad4a9b60416e6c824e15360fbb3b3de

SHA256
2f9f37247bd3df7bd690d5e9aa2a7933df65afe8564555526eb25c467d62bb12

SHA512
0f815d0f3007875db13840e37e3e150ecdbefe6bcfa2a94be4a54bdcb2a4af1695fabe109130f0369f607a5d454c718b721fa542fedf53944797e1c73acc0851

Download Submit
memory/2028-135-0x0000000007650000-0x0000000007BF4000-memory.dmp

Filesize
5.6MB

Download
memory/2028-134-0x0000000007020000-0x0000000007030000-memory.dmp

Filesize
64KB

Download
memory/2028-136-0x0000000007140000-0x00000000071D2000-memory.dmp

Filesize
584KB

Download
memory/2028-137-0x0000000007020000-0x0000000007030000-memory.dmp

Filesize
64KB

Download
memory/2028-138-0x0000000007020000-0x0000000007030000-memory.dmp

Filesize
64KB

Download
memory/2028-139-0x0000000008B40000-0x0000000008BDC000-memory.dmp

Filesize
624KB

Download
memory/2028-133-0x0000000000040000-0x0000000000104000-memory.dmp

Filesize
784KB

Download
memory/3480-159-0x0000000005720000-0x000000000572A000-memory.dmp

Filesize
40KB

Download
memory/3480-168-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/3480-195-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/3480-147-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3848-170-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3848-173-0x00000000702E0000-0x000000007032C000-memory.dmp

Filesize
304KB

Download
memory/3848-144-0x0000000002D30000-0x0000000002D66000-memory.dmp

Filesize
216KB

Download
memory/3848-160-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3848-158-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/3848-167-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/3848-152-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/3848-151-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3848-172-0x0000000006BD0000-0x0000000006C02000-memory.dmp

Filesize
200KB

Download
memory/3848-146-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/3848-183-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

Filesize
120KB

Download
memory/3848-184-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/3848-186-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/3848-185-0x000000007EEE0000-0x000000007EEF0000-memory.dmp

Filesize
64KB

Download
memory/3848-187-0x0000000007990000-0x000000000799A000-memory.dmp

Filesize
40KB

Download
memory/3848-188-0x0000000007BA0000-0x0000000007C36000-memory.dmp

Filesize
600KB

Download
memory/3848-190-0x0000000007B50000-0x0000000007B5E000-memory.dmp

Filesize
56KB

Download
memory/3848-191-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/3848-192-0x0000000007C40000-0x0000000007C48000-memory.dmp

Filesize
32KB

Download
memory/3848-150-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads