nanocore | d47feda760c21df116a2fd8efebcd862604c8cbea8b2af2adb829e32762c8d71

General

Target

b9f29bfdedef84ef3c987240a6f16ea1.exe
Size

216KB
MD5

b9f29bfdedef84ef3c987240a6f16ea1
SHA1

b613154bd48067d186303b3bbfb5bdbcb8a0501a
SHA256

d47feda760c21df116a2fd8efebcd862604c8cbea8b2af2adb829e32762c8d71
SHA512

9435bb04fb08e2be0cdc124387ec74750f95c459d0b2e1dbfb1d507f07125a14ad60a07223c5bcf69a38d9a408d1485faf900f031214afcf58d7d27061257f43
SSDEEP

3072:lKIdcXBReITIQSU9IQDJR3/kAZvnYZ/HqLxm1KUz11R0OFdPovgaVyaTwL4pFuEn:lKIcXvFb99IQTcAUK8px1RpHoXxVFNn

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chinomso.duckdns.org:7688

Mutex

bee718f3-e47a-44f8-955e-2fe2c6c0351c

Attributes

activate_away_mode
true
backup_connection_host
chinomso.duckdns.org
backup_dns_server
chinomso.duckdns.org
buffer_size
65535
build_time
2021-01-17T14:27:22.436365536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7688
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bee718f3-e47a-44f8-955e-2fe2c6c0351c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chinomso.duckdns.org
primary_dns_server
chinomso.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe"	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2316	1688	b9f29bfdedef84ef3c987240a6f16ea1.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ISS Host\isshost.exe	MSBuild.exe
File opened for modification	C:\Program Files (x86)\ISS Host\isshost.exe	MSBuild.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2132	schtasks.exe
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	MSBuild.exe
2316	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2316	MSBuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1688	b9f29bfdedef84ef3c987240a6f16ea1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2316	1688	b9f29bfdedef84ef3c987240a6f16ea1.exe	29
PID 1688 wrote to memory of 2316	1688	b9f29bfdedef84ef3c987240a6f16ea1.exe	29
PID 1688 wrote to memory of 2316	1688	b9f29bfdedef84ef3c987240a6f16ea1.exe	29
PID 1688 wrote to memory of 2316	1688	b9f29bfdedef84ef3c987240a6f16ea1.exe	29
PID 1688 wrote to memory of 2316	1688	b9f29bfdedef84ef3c987240a6f16ea1.exe	29
PID 2316 wrote to memory of 2132	2316	MSBuild.exe	30
PID 2316 wrote to memory of 2132	2316	MSBuild.exe	30
PID 2316 wrote to memory of 2132	2316	MSBuild.exe	30
PID 2316 wrote to memory of 2132	2316	MSBuild.exe	30
PID 2316 wrote to memory of 2640	2316	MSBuild.exe	32
PID 2316 wrote to memory of 2640	2316	MSBuild.exe	32
PID 2316 wrote to memory of 2640	2316	MSBuild.exe	32
PID 2316 wrote to memory of 2640	2316	MSBuild.exe	32

C:\Users\Admin\AppData\Local\Temp\b9f29bfdedef84ef3c987240a6f16ea1.exe
"C:\Users\Admin\AppData\Local\Temp\b9f29bfdedef84ef3c987240a6f16ea1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\b9f29bfdedef84ef3c987240a6f16ea1.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6410.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2132
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp673C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6410.tmp

Filesize
1KB

MD5
ae766004c0d8792953bafffe8f6a2e3b

SHA1
14b12f27543a401e2fe0af8052e116cab0032426

SHA256
1abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540

SHA512
e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp673C.tmp

Filesize
1KB

MD5
3d1580c0395f6de62659467f5b7f1acf

SHA1
8e73a3885896cecca7ff799a272fc9ddfe06ea96

SHA256
6f40196c42a171f24a3e16edeca664cdc5a2f7c150d468255b0e14ab10a2b714

SHA512
7637c0d9b03227dffcb00a68d97ddce60bfc40ca0f8a7a4bbd700ea56be6d570908511dea5cab9f609a7da2e558e5298c482fd1e330af085f9c52867d5a847ea

Download Submit
memory/1688-0-0x0000000001230000-0x0000000001236000-memory.dmp

Filesize
24KB

Download
memory/1688-1-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2316-4-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2316-7-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-8-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-9-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2316-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2316-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2316-17-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2316-18-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2316-19-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-20-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-21-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2316-22-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2316-23-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads