nanocore | bf057fe8bcc9d25c24b876efce0dccf29a5fdbfac6eead9f84665d40d4d7a2a9

Analysis

max time kernel
121s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/08/2023, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

000526dc124572037c777a5a7a4b6467.exe
Size

633KB
MD5

000526dc124572037c777a5a7a4b6467
SHA1

70d6d0fe041e8c3ab650a1dc3cfba063a9c375d5
SHA256

bf057fe8bcc9d25c24b876efce0dccf29a5fdbfac6eead9f84665d40d4d7a2a9
SHA512

b95e9ce6271de64a3664f383278c7946bd4f399a24dbbf37c181bb610c4b8786a36add00bc2d1e4f99bde7a63b40795aeb9f356d4e66e79a61f4ad7260873a25
SSDEEP

12288:XywV/Ot9mbvTbgmjuSD19g6kH9SPaOV8udDMhg50dvK:XyXKTbgmjueWH9SaY8uuU0d

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

percolysrl2.ddns.net:50720

127.0.0.1:50720

Mutex

e74bc027-822b-4380-a498-5f2147a79fe1

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-05-25T18:31:05.546384936Z
bypass_user_account_control
false
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
50720
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e74bc027-822b-4380-a498-5f2147a79fe1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
percolysrl2.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Host = "C:\\Program Files (x86)\\DOS Host\\doshost.exe"	000526dc124572037c777a5a7a4b6467.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DOS Host\doshost.exe	000526dc124572037c777a5a7a4b6467.exe
File opened for modification	C:\Program Files (x86)\DOS Host\doshost.exe	000526dc124572037c777a5a7a4b6467.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2192	schtasks.exe
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2780	powershell.exe
2816	000526dc124572037c777a5a7a4b6467.exe
2816	000526dc124572037c777a5a7a4b6467.exe
2816	000526dc124572037c777a5a7a4b6467.exe
2816	000526dc124572037c777a5a7a4b6467.exe
2816	000526dc124572037c777a5a7a4b6467.exe
2816	000526dc124572037c777a5a7a4b6467.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	000526dc124572037c777a5a7a4b6467.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2816	000526dc124572037c777a5a7a4b6467.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2780	2240	000526dc124572037c777a5a7a4b6467.exe	30
PID 2240 wrote to memory of 2780	2240	000526dc124572037c777a5a7a4b6467.exe	30
PID 2240 wrote to memory of 2780	2240	000526dc124572037c777a5a7a4b6467.exe	30
PID 2240 wrote to memory of 2780	2240	000526dc124572037c777a5a7a4b6467.exe	30
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2240 wrote to memory of 2816	2240	000526dc124572037c777a5a7a4b6467.exe	32
PID 2816 wrote to memory of 2192	2816	000526dc124572037c777a5a7a4b6467.exe	33
PID 2816 wrote to memory of 2192	2816	000526dc124572037c777a5a7a4b6467.exe	33
PID 2816 wrote to memory of 2192	2816	000526dc124572037c777a5a7a4b6467.exe	33
PID 2816 wrote to memory of 2192	2816	000526dc124572037c777a5a7a4b6467.exe	33
PID 2816 wrote to memory of 1540	2816	000526dc124572037c777a5a7a4b6467.exe	35
PID 2816 wrote to memory of 1540	2816	000526dc124572037c777a5a7a4b6467.exe	35
PID 2816 wrote to memory of 1540	2816	000526dc124572037c777a5a7a4b6467.exe	35
PID 2816 wrote to memory of 1540	2816	000526dc124572037c777a5a7a4b6467.exe	35

C:\Users\Admin\AppData\Local\Temp\000526dc124572037c777a5a7a4b6467.exe
"C:\Users\Admin\AppData\Local\Temp\000526dc124572037c777a5a7a4b6467.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\000526dc124572037c777a5a7a4b6467.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\000526dc124572037c777a5a7a4b6467.exe
  "C:\Users\Admin\AppData\Local\Temp\000526dc124572037c777a5a7a4b6467.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DOS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2A99.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DOS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2F2C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2A99.tmp

Filesize
1KB

MD5
e177ee8c99bc62c8c1c8d8d20ec209f7

SHA1
8092afc786626bca03d8d3f91aa0b7cb855ef57e

SHA256
a09f4389d4ae19d23b38bb880412b7a5c2e621df7f8c2af938493bea9faa0419

SHA512
912cc977e06da3c6e3049593a1f3d32c2dba9b0c078d878e20e091512df8a7b6843a42232501798e0dda48af9e65bb78622f4fff55cec54fb51b4e4a0b231618

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F2C.tmp

Filesize
1KB

MD5
e380299eb53398115b7125b2b75c4798

SHA1
ee59b86ea0abf4097ff94bd940521c583803b036

SHA256
edb658b6577a80126eaacdf2a566755b63d7b2438fe0bcf3aea83930036811f3

SHA512
d9e3f3b1370fe4fce4a631a5d0669cef34bfe83dec146b606eff562c7cc450639304a732104f425a7ccfdded58064f28a98434a59ed8d93b595d64d1e1a2dde1

Download Submit
memory/2240-58-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-56-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/2240-75-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-59-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/2240-60-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2240-61-0x0000000004E10000-0x0000000004E84000-memory.dmp

Filesize
464KB

Download
memory/2240-55-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-57-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2240-54-0x0000000000A60000-0x0000000000B04000-memory.dmp

Filesize
656KB

Download
memory/2780-90-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2780-95-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-87-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2780-85-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2780-84-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-83-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-98-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2816-76-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-92-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2816-93-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/2816-94-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2816-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-77-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2816-99-0x0000000000540000-0x000000000055A000-memory.dmp

Filesize
104KB

Download
memory/2816-100-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2816-101-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/2816-102-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2816-103-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/2816-104-0x0000000000A40000-0x0000000000A54000-memory.dmp

Filesize
80KB

Download
memory/2816-105-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2816-106-0x0000000002180000-0x0000000002194000-memory.dmp

Filesize
80KB

Download
memory/2816-107-0x0000000002190000-0x000000000219E000-memory.dmp

Filesize
56KB

Download
memory/2816-108-0x00000000044A0000-0x00000000044CE000-memory.dmp

Filesize
184KB

Download
memory/2816-109-0x00000000022F0000-0x0000000002304000-memory.dmp

Filesize
80KB

Download
memory/2816-110-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-111-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download