nanocore | 9c6c647533d380c250dde31179fdeb02286f169a47e86e2071930512e0b04bac

General

Target

37b91da979f04748d8af3fa4c94a7298.exe
Size

1024KB
MD5

37b91da979f04748d8af3fa4c94a7298
SHA1

5b1acc1964a948700b0aa7f7c331e43f227545e9
SHA256

9c6c647533d380c250dde31179fdeb02286f169a47e86e2071930512e0b04bac
SHA512

a4e56c52abe62527bd5fae30f09b52027739f01596c1b05750dfeaf5b286900dd2605b7e24dc95ead18c0c5106392874be2fdfaa286de314f708b30dd8aeee36
SSDEEP

24576:/o2A4dnEdwBmin0ceXoQjShyrMZJvisa/NJKaO:wbtwN0cgjKzZJvLqJK/

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.5.98.127:54984

127.0.0.1:54984

Mutex

3994e0df-038e-4283-9a6f-7af7d7806576

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-05-16T10:50:52.692208236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
iyke
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3994e0df-038e-4283-9a6f-7af7d7806576
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
194.5.98.127
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	37b91da979f04748d8af3fa4c94a7298.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe"	37b91da979f04748d8af3fa4c94a7298.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37b91da979f04748d8af3fa4c94a7298.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WAN Service\wansv.exe	37b91da979f04748d8af3fa4c94a7298.exe
File opened for modification	C:\Program Files (x86)\WAN Service\wansv.exe	37b91da979f04748d8af3fa4c94a7298.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3612	schtasks.exe
4048	schtasks.exe
3628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2060	37b91da979f04748d8af3fa4c94a7298.exe
2060	37b91da979f04748d8af3fa4c94a7298.exe
2060	37b91da979f04748d8af3fa4c94a7298.exe
2060	37b91da979f04748d8af3fa4c94a7298.exe
2904	37b91da979f04748d8af3fa4c94a7298.exe
2904	37b91da979f04748d8af3fa4c94a7298.exe
2904	37b91da979f04748d8af3fa4c94a7298.exe
2904	37b91da979f04748d8af3fa4c94a7298.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	37b91da979f04748d8af3fa4c94a7298.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	37b91da979f04748d8af3fa4c94a7298.exe
Token: SeDebugPrivilege	2904	37b91da979f04748d8af3fa4c94a7298.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3612	2060	37b91da979f04748d8af3fa4c94a7298.exe	101
PID 2060 wrote to memory of 3612	2060	37b91da979f04748d8af3fa4c94a7298.exe	101
PID 2060 wrote to memory of 3612	2060	37b91da979f04748d8af3fa4c94a7298.exe	101
PID 2060 wrote to memory of 5048	2060	37b91da979f04748d8af3fa4c94a7298.exe	103
PID 2060 wrote to memory of 5048	2060	37b91da979f04748d8af3fa4c94a7298.exe	103
PID 2060 wrote to memory of 5048	2060	37b91da979f04748d8af3fa4c94a7298.exe	103
PID 2060 wrote to memory of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104
PID 2060 wrote to memory of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104
PID 2060 wrote to memory of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104
PID 2060 wrote to memory of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104
PID 2060 wrote to memory of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104
PID 2060 wrote to memory of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104
PID 2060 wrote to memory of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104
PID 2060 wrote to memory of 2904	2060	37b91da979f04748d8af3fa4c94a7298.exe	104
PID 2904 wrote to memory of 4048	2904	37b91da979f04748d8af3fa4c94a7298.exe	105
PID 2904 wrote to memory of 4048	2904	37b91da979f04748d8af3fa4c94a7298.exe	105
PID 2904 wrote to memory of 4048	2904	37b91da979f04748d8af3fa4c94a7298.exe	105
PID 2904 wrote to memory of 3628	2904	37b91da979f04748d8af3fa4c94a7298.exe	107
PID 2904 wrote to memory of 3628	2904	37b91da979f04748d8af3fa4c94a7298.exe	107
PID 2904 wrote to memory of 3628	2904	37b91da979f04748d8af3fa4c94a7298.exe	107

C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe
"C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BDebgbQjLdSqY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E60.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe
  "C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe"
  2⤵
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe
  "C:\Users\Admin\AppData\Local\Temp\37b91da979f04748d8af3fa4c94a7298.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp212F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4048
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp215F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\37b91da979f04748d8af3fa4c94a7298.exe.log

Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E60.tmp

Filesize
1KB

MD5
3ea4418099653296890b170ccff91495

SHA1
c36d420c057cd3590f69bf8a3f5336707e308296

SHA256
16c7a887651c127183f34f4d499cd3e104336c406028873669b14f2430dce8ad

SHA512
ce3a7e17b938388c8ff70768aab3a1309a8d6d56e215c6087dee11b71bff17b3e3bb0ce9b4075d36ea179741509b060772180e673853ec84182cedf0466d40d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp212F.tmp

Filesize
1KB

MD5
cd659a6f031020173dcd3d7c1c208ae3

SHA1
c7dbd665da18ce80f19209b724c739ecfa795781

SHA256
7dce9198cdcee1501f4d2b469bc876eb52703f75b271ee8739c6b15191a43c8e

SHA512
5101a6284733565424849c920a9e9f42e188ab8a552b67877d04b2d0e56202118e456a62af2cc0b84cf2cdfc0b6c3e7dd9ef2ae7d71466bf2d3cd0244d3636b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp215F.tmp

Filesize
1KB

MD5
eb527779d4a920bac8c3c59e8f4b4b4c

SHA1
4c9c48fd4ab89a983c87d810577133dc281160b4

SHA256
97a200adfccc855ed435941fe1453a6add1a66b8390d033279c2f1a6a64c26a2

SHA512
a48c1ca2310a4bceacca90d3b8748fdecc0169738905e0bc62a665ab048c1ae6bb801dc99f0f04d85287993c27bfd0a4e7f59d27a1c233b6662d6ba3ca586da0

Download Submit
memory/2060-4-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/2060-2-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2060-1-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/2060-5-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/2060-3-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2060-0-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2060-15-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2904-16-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download
memory/2904-17-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2904-14-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2904-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-25-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download
memory/2904-26-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2904-27-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download
memory/2904-28-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads