nanocore | 9c6c647533d380c250dde31179fdeb02286f169a47e86e2071930512e0b04bac

General

Target

37b91da979f04748d8af3fa4c94a7298.exe
Size

1024KB
MD5

37b91da979f04748d8af3fa4c94a7298
SHA1

5b1acc1964a948700b0aa7f7c331e43f227545e9
SHA256

9c6c647533d380c250dde31179fdeb02286f169a47e86e2071930512e0b04bac
SHA512

a4e56c52abe62527bd5fae30f09b52027739f01596c1b05750dfeaf5b286900dd2605b7e24dc95ead18c0c5106392874be2fdfaa286de314f708b30dd8aeee36
SSDEEP

24576:/o2A4dnEdwBmin0ceXoQjShyrMZJvisa/NJKaO:wbtwN0cgjKzZJvLqJK/

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.5.98.127:54984

127.0.0.1:54984

Mutex

3994e0df-038e-4283-9a6f-7af7d7806576

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-05-16T10:50:52.692208236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
iyke
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3994e0df-038e-4283-9a6f-7af7d7806576
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
194.5.98.127
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Manager = "C:\\Program Files (x86)\\WAN Manager\\wanmgr.exe"	37b91da979f04748d8af3fa4c94a7298.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37b91da979f04748d8af3fa4c94a7298.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WAN Manager\wanmgr.exe	37b91da979f04748d8af3fa4c94a7298.exe
File opened for modification	C:\Program Files (x86)\WAN Manager\wanmgr.exe	37b91da979f04748d8af3fa4c94a7298.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2444	schtasks.exe
1840	schtasks.exe
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	37b91da979f04748d8af3fa4c94a7298.exe
2520	37b91da979f04748d8af3fa4c94a7298.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	37b91da979f04748d8af3fa4c94a7298.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	37b91da979f04748d8af3fa4c94a7298.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2444	1216	37b91da979f04748d8af3fa4c94a7298.exe	31
PID 1216 wrote to memory of 2444	1216	37b91da979f04748d8af3fa4c94a7298.exe	31
PID 1216 wrote to memory of 2444	1216	37b91da979f04748d8af3fa4c94a7298.exe	31
PID 1216 wrote to memory of 2444	1216	37b91da979f04748d8af3fa4c94a7298.exe	31
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 1216 wrote to memory of 2520	1216	37b91da979f04748d8af3fa4c94a7298.exe	36
PID 2520 wrote to memory of 2804	2520	37b91da979f04748d8af3fa4c94a7298.exe	35
PID 2520 wrote to memory of 2804	2520	37b91da979f04748d8af3fa4c94a7298.exe	35
PID 2520 wrote to memory of 2804	2520	37b91da979f04748d8af3fa4c94a7298.exe	35
PID 2520 wrote to memory of 2804	2520	37b91da979f04748d8af3fa4c94a7298.exe	35
PID 2520 wrote to memory of 1840	2520	37b91da979f04748d8af3fa4c94a7298.exe	34
PID 2520 wrote to memory of 1840	2520	37b91da979f04748d8af3fa4c94a7298.exe	34
PID 2520 wrote to memory of 1840	2520	37b91da979f04748d8af3fa4c94a7298.exe	34
PID 2520 wrote to memory of 1840	2520	37b91da979f04748d8af3fa4c94a7298.exe	34

C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe
"C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BDebgbQjLdSqY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpECCF.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe
  "C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEE94.tmp"
1⤵
- Creates scheduled task(s)
PID:1840

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEE64.tmp"
1⤵
- Creates scheduled task(s)
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpECCF.tmp

Filesize
1KB

MD5
515cb002996018e8cab584585ee5e1f5

SHA1
619bf5635e737f920aef5d39ff77e83831ecdec2

SHA256
81dec73d6f61c9fbe10f6a1e39489e68218c422addabcdda273c17b620fd6265

SHA512
c6de10e9f400f22d17bb7e4e54fc3a7eceb0368600d77fec79ae32c1c639963f788579727fc3168d03e8fa55c9239709f6ef919f03960c88306d26fa768b8fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE64.tmp

Filesize
1KB

MD5
cd659a6f031020173dcd3d7c1c208ae3

SHA1
c7dbd665da18ce80f19209b724c739ecfa795781

SHA256
7dce9198cdcee1501f4d2b469bc876eb52703f75b271ee8739c6b15191a43c8e

SHA512
5101a6284733565424849c920a9e9f42e188ab8a552b67877d04b2d0e56202118e456a62af2cc0b84cf2cdfc0b6c3e7dd9ef2ae7d71466bf2d3cd0244d3636b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE94.tmp

Filesize
1KB

MD5
f3cda3e6bab1951e8d59c3eb775a14c6

SHA1
434c1ec851a45c0505fd8fd28159f549e2e9adfd

SHA256
067d3f5167cab2ea4e76f59386df4eaf49c6008f6451e1971274a938ad7bcf44

SHA512
bc79446e4e0204c04abcacef6799aeafe7915c1a5c6bdb3573ba40370d6a6a1e2590eb6315151d12a9447970f993a17463442c5dc0ba97c58df17dddfd73d62c

Download Submit
memory/1216-5-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/1216-21-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1216-0-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1216-3-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1216-2-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/1216-4-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/1216-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-25-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-23-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-24-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/2520-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-33-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-34-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads