nanocore | ab4e6989aa2da547c0c1e29e7d2b950f28b43d2115ea3c5a93d5932eddf6621b

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 14:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word.exe
Size

405KB
MD5

b21efaf9265cbc9ac2c833ff575aa7eb
SHA1

c90ad9f1c91f7d33c7ff42cfebc6941c6c4c6e31
SHA256

ab4e6989aa2da547c0c1e29e7d2b950f28b43d2115ea3c5a93d5932eddf6621b
SHA512

8b042beac380a7e971b3051cd8525420485ea295175f8e61bf2ead3985079005a627b5a3e69708d0e3ac19065d341baf9acfd5bbf65e163afb1b8b630526f586
SSDEEP

12288:SYY9mAaoUL4XNN5sqgHrSGIRfJmar7mQXMxGzj:SYYcAZi4XNKybr7mQcx2j

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

194.180.48.119:4444

Mutex

2bed2857-756c-4d05-b4b9-330686a61bc6

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-07-02T04:48:33.711034036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4444
default_group
money
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2bed2857-756c-4d05-b4b9-330686a61bc6
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
194.180.48.119
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
5024	jvratda.exe
1948	jvratda.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvvfbbktt = "C:\\Users\\Admin\\AppData\\Roaming\\pllueyyiee\\nwwscclhqq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jvratda.exe\" "	jvratda.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jvratda.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5024 set thread context of 1948	5024	jvratda.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1948	jvratda.exe
1948	jvratda.exe
1948	jvratda.exe
1948	jvratda.exe
1948	jvratda.exe
1948	jvratda.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1948	jvratda.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5024	jvratda.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	jvratda.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 5024	3828	word.exe	86
PID 3828 wrote to memory of 5024	3828	word.exe	86
PID 3828 wrote to memory of 5024	3828	word.exe	86
PID 5024 wrote to memory of 1948	5024	jvratda.exe	88
PID 5024 wrote to memory of 1948	5024	jvratda.exe	88
PID 5024 wrote to memory of 1948	5024	jvratda.exe	88
PID 5024 wrote to memory of 1948	5024	jvratda.exe	88

C:\Users\Admin\AppData\Local\Temp\word.exe
"C:\Users\Admin\AppData\Local\Temp\word.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Local\Temp\jvratda.exe
  "C:\Users\Admin\AppData\Local\Temp\jvratda.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\jvratda.exe
    "C:\Users\Admin\AppData\Local\Temp\jvratda.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1948

Network

DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

119.48.180.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.48.180.194.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

121.208.253.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.208.253.8.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

200.201.50.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.201.50.20.in-addr.arpa

IN PTR

Response

194.180.48.119:4444

jvratda.exe

11.7kB
358.2kB
213
358

8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

119.48.180.194.in-addr.arpa

dns

73 B
148 B
1
1

DNS Request

119.48.180.194.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

121.208.253.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

121.208.253.8.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

200.201.50.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

200.201.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdeoksluvr.pb

Filesize
301KB

MD5
cef24d01cf14dc731da55bb26a9313c7

SHA1
69a6bc65980f76cd6c016bd6640fec32015432a5

SHA256
7321a852587db16ecbf9158997602a7e168b0d2427311915501f84d5a1cdb442

SHA512
49d74efbba8ba94e01caaec3c665a6c089ab342b11175969080479f7452bc59e2cff1ea04a4348ba988ad21f51ef4997e98d9eb27edde179abe4fde38d91be4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvratda.exe

Filesize
152KB

MD5
2affdf960bb3875b60d389c42a35beae

SHA1
74d501199b9d4a9d8e3d86352f3e9d97911ca4fc

SHA256
757846dfec1f48c146913e46830d13240a8ba85cd32044de03dbf9ddc0a84a9e

SHA512
fe6e95e395735b19e59248da5e4cb84f01785776a332c6eef91daa46811e5895d429cd334af0cd0dcf21b1ccd9e5c78d5e0bec845865a11b679cc8aab8c5e743

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvratda.exe

Filesize
152KB

MD5
2affdf960bb3875b60d389c42a35beae

SHA1
74d501199b9d4a9d8e3d86352f3e9d97911ca4fc

SHA256
757846dfec1f48c146913e46830d13240a8ba85cd32044de03dbf9ddc0a84a9e

SHA512
fe6e95e395735b19e59248da5e4cb84f01785776a332c6eef91daa46811e5895d429cd334af0cd0dcf21b1ccd9e5c78d5e0bec845865a11b679cc8aab8c5e743

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvratda.exe

Filesize
152KB

MD5
2affdf960bb3875b60d389c42a35beae

SHA1
74d501199b9d4a9d8e3d86352f3e9d97911ca4fc

SHA256
757846dfec1f48c146913e46830d13240a8ba85cd32044de03dbf9ddc0a84a9e

SHA512
fe6e95e395735b19e59248da5e4cb84f01785776a332c6eef91daa46811e5895d429cd334af0cd0dcf21b1ccd9e5c78d5e0bec845865a11b679cc8aab8c5e743

Download Submit
memory/1948-12-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1948-8-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1948-10-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1948-11-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1948-14-0x0000000074150000-0x0000000074701000-memory.dmp

Filesize
5.7MB

Download
memory/1948-15-0x0000000074150000-0x0000000074701000-memory.dmp

Filesize
5.7MB

Download
memory/1948-16-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/1948-17-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/1948-18-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/1948-23-0x0000000074150000-0x0000000074701000-memory.dmp

Filesize
5.7MB

Download
memory/1948-24-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/1948-25-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/5024-5-0x0000000000DA0000-0x0000000000DA3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.