nanocore | a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73

General

Target

a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73_JC.exe
Size

578KB
MD5

6e65813ad51126c4fcabcf6ad9267e26
SHA1

24918b78ec2c68569ca9c5236b5f56bc09ea3f48
SHA256

a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73
SHA512

e5d09453b2a50d0338cd6ab2aa2670b55f4c1b6ddfc9c15c7c82648d736ec67bd7c48612e5bdbd8b1d06e047f33628d6b457296a1b412b7b18dfba7d59d361dd
SSDEEP

12288:6nPdx6ltZqggFJbkdQRYPa1RTwexrKQQaZdV+RzA:GPdx6bozkQOP2c28aZSO

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

titus.casacam.net:9036

titus102023.ddns.net:9036

Mutex

d43d6cb7-6cff-4be1-8d91-60045bc4f141

Attributes

activate_away_mode
true
backup_connection_host
titus102023.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-06-15T12:24:36.251697536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9036
default_group
sept03
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d43d6cb7-6cff-4be1-8d91-60045bc4f141
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
titus.casacam.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
1652	vvavnhuhk.exe
1696	vvavnhuhk.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73_JC.exe
1652	vvavnhuhk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuypgl = "C:\\Users\\Admin\\AppData\\Roaming\\kpgwbrim\\dhxos.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vvavnhuhk.exe\" "	vvavnhuhk.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vvavnhuhk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1652 set thread context of 1696	1652	vvavnhuhk.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1696	vvavnhuhk.exe
1696	vvavnhuhk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1696	vvavnhuhk.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1652	vvavnhuhk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	vvavnhuhk.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1652	2188	a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73_JC.exe	28
PID 2188 wrote to memory of 1652	2188	a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73_JC.exe	28
PID 2188 wrote to memory of 1652	2188	a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73_JC.exe	28
PID 2188 wrote to memory of 1652	2188	a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73_JC.exe	28
PID 1652 wrote to memory of 1696	1652	vvavnhuhk.exe	29
PID 1652 wrote to memory of 1696	1652	vvavnhuhk.exe	29
PID 1652 wrote to memory of 1696	1652	vvavnhuhk.exe	29
PID 1652 wrote to memory of 1696	1652	vvavnhuhk.exe	29
PID 1652 wrote to memory of 1696	1652	vvavnhuhk.exe	29
PID 1696 wrote to memory of 1660	1696	vvavnhuhk.exe	30
PID 1696 wrote to memory of 1660	1696	vvavnhuhk.exe	30
PID 1696 wrote to memory of 1660	1696	vvavnhuhk.exe	30
PID 1696 wrote to memory of 1660	1696	vvavnhuhk.exe	30

C:\Users\Admin\AppData\Local\Temp\a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a335c9ad21f67b44232a6f31f5605b013167628f63e7e00a3fc840a8ab9afc73_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe
  "C:\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe
    "C:\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "TCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB2FA.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB2FA.tmp

Filesize
1KB

MD5
cfe39e5b215dd5b7f0aa7e77d7605cc1

SHA1
3c8542caff4e3994724fec05980bf2678fa519c1

SHA256
ce2159bf425643195286be1703d475e06428fe277850ef0b23d9795724f64281

SHA512
2a4f085bad4f965160e66f184c5e67ba4596f480fab00734abf6e5ad52ff8838a3a0009977e83e9093224c6c0700ff4aad9cbf50d0a406369eedacb0dc4d2696

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe

Filesize
228KB

MD5
da5469e9e5aa5bd4ae3be7579183cbe7

SHA1
1c7cb556110da4aa11a0ee3acc9cd46a4a9fc917

SHA256
45499b2eb6802cea34e6e87c16c2ba7c4b8e5e27cbd336cbcdd59dbb1f5577e2

SHA512
e237955d27c54a5bc5e7c75d224087556f46098b5a96b6e0e3ea7beb401846c623df764cd8c01d296c01c2ecd26dda483de08a7050d1c0b9d41dd3c109ed568f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe

Filesize
228KB

MD5
da5469e9e5aa5bd4ae3be7579183cbe7

SHA1
1c7cb556110da4aa11a0ee3acc9cd46a4a9fc917

SHA256
45499b2eb6802cea34e6e87c16c2ba7c4b8e5e27cbd336cbcdd59dbb1f5577e2

SHA512
e237955d27c54a5bc5e7c75d224087556f46098b5a96b6e0e3ea7beb401846c623df764cd8c01d296c01c2ecd26dda483de08a7050d1c0b9d41dd3c109ed568f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe

Filesize
228KB

MD5
da5469e9e5aa5bd4ae3be7579183cbe7

SHA1
1c7cb556110da4aa11a0ee3acc9cd46a4a9fc917

SHA256
45499b2eb6802cea34e6e87c16c2ba7c4b8e5e27cbd336cbcdd59dbb1f5577e2

SHA512
e237955d27c54a5bc5e7c75d224087556f46098b5a96b6e0e3ea7beb401846c623df764cd8c01d296c01c2ecd26dda483de08a7050d1c0b9d41dd3c109ed568f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzqsql.ep

Filesize
301KB

MD5
70a1cd5de0ece54a4ad70769e0b0439c

SHA1
0aae1625b230e8f7e993d1428ebe12cdd1f8712f

SHA256
10b7d3b9102d5e12af2e93c6d30283b36ebdeb25a17fbd848dfb5281beef8aa1

SHA512
514c7ae35ad6e06fc9a752b492eba8fce41f6ca380e55a644c8f3d8207de203289e69f878603f36730cee5543e191d674243466df54e2972d7f3089f67cd9cc8

Download Submit
\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe

Filesize
228KB

MD5
da5469e9e5aa5bd4ae3be7579183cbe7

SHA1
1c7cb556110da4aa11a0ee3acc9cd46a4a9fc917

SHA256
45499b2eb6802cea34e6e87c16c2ba7c4b8e5e27cbd336cbcdd59dbb1f5577e2

SHA512
e237955d27c54a5bc5e7c75d224087556f46098b5a96b6e0e3ea7beb401846c623df764cd8c01d296c01c2ecd26dda483de08a7050d1c0b9d41dd3c109ed568f

Download Submit
\Users\Admin\AppData\Local\Temp\vvavnhuhk.exe

Filesize
228KB

MD5
da5469e9e5aa5bd4ae3be7579183cbe7

SHA1
1c7cb556110da4aa11a0ee3acc9cd46a4a9fc917

SHA256
45499b2eb6802cea34e6e87c16c2ba7c4b8e5e27cbd336cbcdd59dbb1f5577e2

SHA512
e237955d27c54a5bc5e7c75d224087556f46098b5a96b6e0e3ea7beb401846c623df764cd8c01d296c01c2ecd26dda483de08a7050d1c0b9d41dd3c109ed568f

Download Submit
memory/1652-6-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/1696-16-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1696-11-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1696-17-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-19-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1696-18-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-20-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1696-21-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1696-14-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1696-26-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-27-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1696-28-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1696-29-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1696-30-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads