nanocore | 5a5b79ba0d6ca74fe3fad866b062600a794a1da6cfe39dfb44e256e8a2175b85

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ae444463c080f41cec9880113950e23.exe
Size

2.1MB
MD5

7ae444463c080f41cec9880113950e23
SHA1

ffb638e40951dfde732f08e414b01ec991ba37cd
SHA256

5a5b79ba0d6ca74fe3fad866b062600a794a1da6cfe39dfb44e256e8a2175b85
SHA512

b0e1a946f413f48484ba3dc820d3b299ad8df8ec4e4d0036c41081945ca695a67368c9c841632dc87f9e684df59402dbacebe2b65b776d33d944934df7680e1b
SSDEEP

49152:1av4KJbboJXTKy2GmKFYrb0INa4uf5JJhDziO5FASrRxBQt2/j8OkYdzFRZIJMdN:1uFVbWXWjBAY0wHLqa+zyyj885RZBN

Score

10^/10

nanocore evasion keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.244.30.139:4050

Mutex

52e05d5b-dcbb-4f70-86bd-eb80b3602ddc

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-09T23:01:15.091230736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4050
default_group
money
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
52e05d5b-dcbb-4f70-86bd-eb80b3602ddc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.30.139
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
2740	test.exe
2316	test.exe

Loads dropped DLL 3 IoCs

pid	Process
1832	cmd.exe
1832	cmd.exe
2740	test.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2060-1-0x0000000000400000-0x0000000000847000-memory.dmp	upx
behavioral1/files/0x000c000000012327-8.dat	upx
behavioral1/memory/2740-7-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/memory/2740-14-0x00000000021C0000-0x0000000002293000-memory.dmp	upx
behavioral1/memory/2740-11-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/memory/2316-9-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2316-20-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2060-19-0x0000000000400000-0x0000000000847000-memory.dmp	upx
behavioral1/memory/2316-21-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2316-17-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	test.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2316	2740	test.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2740	test.exe
2316	test.exe
2316	test.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2316	test.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2740	test.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	test.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1832	2060	7ae444463c080f41cec9880113950e23.exe	29
PID 2060 wrote to memory of 1832	2060	7ae444463c080f41cec9880113950e23.exe	29
PID 2060 wrote to memory of 1832	2060	7ae444463c080f41cec9880113950e23.exe	29
PID 2060 wrote to memory of 1832	2060	7ae444463c080f41cec9880113950e23.exe	29
PID 1832 wrote to memory of 2740	1832	cmd.exe	31
PID 1832 wrote to memory of 2740	1832	cmd.exe	31
PID 1832 wrote to memory of 2740	1832	cmd.exe	31
PID 1832 wrote to memory of 2740	1832	cmd.exe	31
PID 2740 wrote to memory of 2316	2740	test.exe	30
PID 2740 wrote to memory of 2316	2740	test.exe	30
PID 2740 wrote to memory of 2316	2740	test.exe	30
PID 2740 wrote to memory of 2316	2740	test.exe	30

C:\Users\Admin\AppData\Local\Temp\7ae444463c080f41cec9880113950e23.exe
"C:\Users\Admin\AppData\Local\Temp\7ae444463c080f41cec9880113950e23.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2740

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\test.exe

Filesize
502KB

MD5
bb1822894d880e74c2d146dc3c05f9bb

SHA1
4bf0a018db757e2b599b0b1fc36fb5f345a1a82e

SHA256
25aa68d90f13a87ef317d634b1ac4b066239b0b4037111ebb11bc041ec54f595

SHA512
00a0ff30443b3c4c6104175e20eb64fd4bd33802e90900f49d9888fd3f2cca1c3b5f77cd28bcb1a8691c3fa5ee62502d67e1ef420a261d7a6c2dfd590c2278d0

Download Submit
memory/1832-6-0x00000000023D0000-0x00000000024A3000-memory.dmp

Filesize
844KB

Download
memory/2060-1-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2060-19-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2316-41-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-61-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-80-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/2316-23-0x0000000000360000-0x0000000000398000-memory.dmp

Filesize
224KB

Download
memory/2316-22-0x0000000000360000-0x0000000000398000-memory.dmp

Filesize
224KB

Download
memory/2316-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-36-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-48-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-49-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-47-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-46-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-45-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-50-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-52-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-53-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-51-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-54-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-56-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-55-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-58-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-57-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/2316-44-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-43-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-42-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-40-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-70-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-38-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-37-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-35-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-34-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-39-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-62-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-64-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-65-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-66-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-67-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-68-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-69-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-77-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-79-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-78-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-76-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-75-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-74-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-73-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2316-72-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2316-71-0x0000000076B40000-0x0000000076C50000-memory.dmp

Filesize
1.1MB

Download
memory/2740-14-0x00000000021C0000-0x0000000002293000-memory.dmp

Filesize
844KB

Download
memory/2740-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2740-7-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2740-11-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2740-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download