nanocore | 6a782c68b798d60b57784b764fe4e29c1c2b373d1c3fb7acb9efaab9144af081

General

Target

vjustca.exe
Size

317KB
MD5

d4ed05679b3f645ad94aeb76a1d9f512
SHA1

97820f13684b077cc511c5f9f0bb9072561a05ba
SHA256

6a782c68b798d60b57784b764fe4e29c1c2b373d1c3fb7acb9efaab9144af081
SHA512

500764d55297781075febc9ef44507c7ff8d7b44af7a408694f6745ed3d2837bb42cae72129d0735eb891c1265c5323d0292576593f56e59318869a0434f83a6
SSDEEP

6144:CjRfbsw9j74aiGZcpFpD2+iNoKZsy8WU7g/ke2FYD5Fj1:5wl/sLDrimKh8WUkP2Fg

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

justkowir.duckdns.org:8550

Mutex

513a9907-f4ca-4a36-8f25-fcb7088c00a5

Attributes

activate_away_mode
true
backup_connection_host
justkowir.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-01-03T15:53:14.690945336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8550
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
513a9907-f4ca-4a36-8f25-fcb7088c00a5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
justkowir.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

vjustca.exe

pid process

1416 vjustca.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vjustca.exe

description pid process target process

PID 928 set thread context of 1624 928 vjustca.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

560 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RegAsm.exe

pid process

1624 RegAsm.exe
1624 RegAsm.exe
1624 RegAsm.exe
1624 RegAsm.exe
1624 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1624 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1624 RegAsm.exe

pid	process
1416	vjustca.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

description	pid	process	target process
PID 928 set thread context of 1624	928	vjustca.exe	RegAsm.exe

pid	process
560	schtasks.exe

pid	process
1624	RegAsm.exe
1624	RegAsm.exe
1624	RegAsm.exe
1624	RegAsm.exe
1624	RegAsm.exe

pid	process
1624	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1624	RegAsm.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

vjustca.execmd.exetaskeng.exe

description	pid	process	target process
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 1624	928	vjustca.exe	RegAsm.exe
PID 928 wrote to memory of 304	928	vjustca.exe	WScript.exe
PID 928 wrote to memory of 304	928	vjustca.exe	WScript.exe
PID 928 wrote to memory of 304	928	vjustca.exe	WScript.exe
PID 928 wrote to memory of 304	928	vjustca.exe	WScript.exe
PID 928 wrote to memory of 1000	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 1000	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 1000	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 1000	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 752	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 752	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 752	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 752	928	vjustca.exe	cmd.exe
PID 752 wrote to memory of 560	752	cmd.exe	schtasks.exe
PID 752 wrote to memory of 560	752	cmd.exe	schtasks.exe
PID 752 wrote to memory of 560	752	cmd.exe	schtasks.exe
PID 752 wrote to memory of 560	752	cmd.exe	schtasks.exe
PID 928 wrote to memory of 996	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 996	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 996	928	vjustca.exe	cmd.exe
PID 928 wrote to memory of 996	928	vjustca.exe	cmd.exe
PID 340 wrote to memory of 1416	340	taskeng.exe	vjustca.exe
PID 340 wrote to memory of 1416	340	taskeng.exe	vjustca.exe
PID 340 wrote to memory of 1416	340	taskeng.exe	vjustca.exe
PID 340 wrote to memory of 1416	340	taskeng.exe	vjustca.exe

C:\Users\Admin\AppData\Local\Temp\vjustca.exe
"C:\Users\Admin\AppData\Local\Temp\vjustca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prevent windows from sleeping.vbs"
2⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\vjustca"
2⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\vjustca\vjustca.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\vjustca\vjustca.exe'" /f
3⤵
- Creates scheduled task(s)
PID:560

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\vjustca.exe" "C:\Users\Admin\AppData\Local\Temp\vjustca\vjustca.exe"
2⤵
PID:996

C:\Windows\system32\taskeng.exe
taskeng.exe {31C7CDFB-99CE-445A-88C9-592C9C0E8E2B} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Local\Temp\vjustca\vjustca.exe
C:\Users\Admin\AppData\Local\Temp\vjustca\vjustca.exe
2⤵
- Executes dropped EXE
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Prevent windows from sleeping.vbs
Filesize
160B

MD5
0a87f08886c2733d3d1419625ca7fd99

SHA1
b2c685a3fc1d186aa33966d910fa87b03c3701b8

SHA256
819b8f8e621d1718129114a44c02da58599b0fbaa9ad6a7db5610706ff89d768

SHA512
5eb8dad4aa4c3079e51fec09c2bea84a8505263e54dba5e4ccbc21b5d51c31d28b81473bfd8003822011dba7d47982c06049eed8438a562fe851f05b75a445db

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjustca\vjustca.exe
Filesize
317KB

MD5
d4ed05679b3f645ad94aeb76a1d9f512

SHA1
97820f13684b077cc511c5f9f0bb9072561a05ba

SHA256
6a782c68b798d60b57784b764fe4e29c1c2b373d1c3fb7acb9efaab9144af081

SHA512
500764d55297781075febc9ef44507c7ff8d7b44af7a408694f6745ed3d2837bb42cae72129d0735eb891c1265c5323d0292576593f56e59318869a0434f83a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjustca\vjustca.exe
Filesize
317KB

MD5
d4ed05679b3f645ad94aeb76a1d9f512

SHA1
97820f13684b077cc511c5f9f0bb9072561a05ba

SHA256
6a782c68b798d60b57784b764fe4e29c1c2b373d1c3fb7acb9efaab9144af081

SHA512
500764d55297781075febc9ef44507c7ff8d7b44af7a408694f6745ed3d2837bb42cae72129d0735eb891c1265c5323d0292576593f56e59318869a0434f83a6

Download Submit
memory/928-55-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/928-56-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/928-57-0x0000000000580000-0x00000000005B8000-memory.dmp

Filesize
224KB

Download
memory/928-54-0x0000000000910000-0x0000000000966000-memory.dmp

Filesize
344KB

Download
memory/1416-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-99-0x0000000000CA0000-0x0000000000CF6000-memory.dmp

Filesize
344KB

Download
memory/1624-82-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/1624-87-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/1624-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-73-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/1624-74-0x0000000000980000-0x000000000099E000-memory.dmp

Filesize
120KB

Download
memory/1624-75-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/1624-78-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1624-79-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1624-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-83-0x0000000002450000-0x000000000246A000-memory.dmp

Filesize
104KB

Download
memory/1624-84-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/1624-85-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/1624-86-0x0000000002490000-0x000000000249C000-memory.dmp

Filesize
48KB

Download
memory/1624-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-88-0x0000000004B70000-0x0000000004B84000-memory.dmp

Filesize
80KB

Download
memory/1624-89-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/1624-90-0x0000000004BD0000-0x0000000004BE4000-memory.dmp

Filesize
80KB

Download
memory/1624-91-0x0000000004BE0000-0x0000000004BEE000-memory.dmp

Filesize
56KB

Download
memory/1624-92-0x0000000004C80000-0x0000000004CAE000-memory.dmp

Filesize
184KB

Download
memory/1624-93-0x0000000004D30000-0x0000000004D44000-memory.dmp

Filesize
80KB

Download
memory/1624-95-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1624-96-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1624-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads