nanocore | d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe
Size

181KB
MD5

e52cac9aee243b03a354457e06e1cc56
SHA1

1645b39915391e9c9d795ed486b3ccbc82e85d6d
SHA256

d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9
SHA512

431e9c278df20ee3616ccf95c792d650f4cbfa496874e91f7a667fbcd529dab1b4ae62869d7fe3c674cc6adee988fc52ce69d3f8788616790a4815148c754576
SSDEEP

768:oSalbEkZQOaO5Yf0WzR6ES0JXtZhVm13j2tSHPWcSaY2:I3ZaVz7SH

Score

10^/10

nanocore purecrypter downloader keylogger loader persistence spyware stealer trojan

Malware Config

Extracted

Family

purecrypter

https://files.catbox.moe/ic3ybn.wav

Extracted

Family

nanocore

Version

1.2.2.0

6191.ddns.net:6191

103.212.81.152:6191

Mutex

7d2b9b7b-8607-4b8a-87ad-c9b5425fdb05

Attributes

activate_away_mode
true
backup_connection_host
103.212.81.152
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-05-24T02:01:05.557236936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6191
default_group
6191
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7d2b9b7b-8607-4b8a-87ad-c9b5425fdb05
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
6191.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Monitor = "C:\\Program Files (x86)\\DOS Monitor\\dosmon.exe"	MSBuild.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bigcazpg = "C:\\Users\\Admin\\AppData\\Roaming\\Bigcazpg.exe"	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4300 set thread context of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DOS Monitor\dosmon.exe	MSBuild.exe
File opened for modification	C:\Program Files (x86)\DOS Monitor\dosmon.exe	MSBuild.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
848	schtasks.exe
4408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4152	MSBuild.exe
4152	MSBuild.exe
4152	MSBuild.exe
4152	MSBuild.exe
4152	MSBuild.exe
4152	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4152	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe
Token: SeDebugPrivilege	4152	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89
PID 4300 wrote to memory of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89
PID 4300 wrote to memory of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89
PID 4300 wrote to memory of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89
PID 4300 wrote to memory of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89
PID 4300 wrote to memory of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89
PID 4300 wrote to memory of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89
PID 4300 wrote to memory of 4152	4300	d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe	89
PID 4152 wrote to memory of 848	4152	MSBuild.exe	90
PID 4152 wrote to memory of 848	4152	MSBuild.exe	90
PID 4152 wrote to memory of 848	4152	MSBuild.exe	90
PID 4152 wrote to memory of 4408	4152	MSBuild.exe	92
PID 4152 wrote to memory of 4408	4152	MSBuild.exe	92
PID 4152 wrote to memory of 4408	4152	MSBuild.exe	92

C:\Users\Admin\AppData\Local\Temp\d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe
"C:\Users\Admin\AppData\Local\Temp\d8185c71389bf25a1ee30a7fcdf94effec827097af0bd240e9fcaba62cf454d9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DOS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB7E6.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:848
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DOS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB8D1.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB7E6.tmp

Filesize
1KB

MD5
3e2b26ed8b75ae83a269595180e84ef6

SHA1
d30a0335fcce406bca8ba5764288235e6192f608

SHA256
108be30aeb8eb31c185a39a6726f26dacbc4e4124951c61a29ade4b7038c71ea

SHA512
b6981c68fcb886cc8379a068b96931b9d4f5cc5aa9bdc467e36c4168fe6c5273a2a84d8850b12c11703ec03ac6b1f1950d1e669efcb59fc2402ce4bba9dc03d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB8D1.tmp

Filesize
1KB

MD5
b167179960db9fca3a7c0fa38c6f4cf7

SHA1
bd26271dc26fde6e47f87624100dc31c3e710226

SHA256
e8c60ac3403e13489278a82b5ece6bc092c27a69b6f5359275bc6b1c57bd1f13

SHA512
2d4a7bdab2e4a67ef6092f42b373a81f53800ff7772736cd2828d376159ddb4eebc29a3a12007fe70dc2c63712a9ac1a1a31a45b5d401a6fc01d4690dbbb75cc

Download Submit
memory/4152-1224-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4152-1223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4152-1225-0x0000000005500000-0x000000000559C000-memory.dmp

Filesize
624KB

Download
memory/4152-1226-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4152-1241-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4152-1240-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4152-1239-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4152-1237-0x0000000006F90000-0x0000000006FF6000-memory.dmp

Filesize
408KB

Download
memory/4152-1234-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4300-168-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-180-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-142-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-144-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-146-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-148-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-150-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-152-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-154-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-156-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-158-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-160-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-162-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-164-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-166-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-139-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-170-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-172-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-174-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-176-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-178-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-140-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-182-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-184-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-186-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-188-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-190-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-192-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-194-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-196-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-198-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-200-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-202-0x0000000008E90000-0x0000000008F63000-memory.dmp

Filesize
844KB

Download
memory/4300-138-0x0000000005290000-0x000000000529A000-memory.dmp

Filesize
40KB

Download
memory/4300-137-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4300-136-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/4300-135-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/4300-134-0x00000000006B0000-0x00000000006E4000-memory.dmp

Filesize
208KB

Download
memory/4300-133-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4300-351-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4300-740-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4300-1217-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/4300-1218-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4300-1222-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download