nanocore | c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85

General

Target

PROOF OF PAYMENT.scr.exe
Size

670KB
MD5

11b19b59f657910f0af49721a77bc2dd
SHA1

3078779d892bd96e5dfddb76d491f52eefd39a2d
SHA256

c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
SHA512

de92458acc1341bd5db1ca3f5542339c5e06dac938903efc9c9eeca234058a92fb1e99bdb94c547a7126dfe033c300beb5a8ef3ca63dcb61bb6dbd397b7602e2
SSDEEP

12288:EWYIPXjxannnHg2g2Qsj2kGPBjQW/dAOAbnB4BziHmBOXB3NEqRFnj7Qu4YCgca:EWYIPFannnHg2F2kUBjB8B4BOHLXcqbh

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

amechi.duckdns.org:3190

Mutex

3ccbc5bb-95bf-4854-a1cd-6f73b82adcba

Attributes

activate_away_mode
true
backup_connection_host
amechi.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-02-04T08:58:27.782943536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3190
default_group
GLORY
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3ccbc5bb-95bf-4854-a1cd-6f73b82adcba
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
amechi.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PROOF OF PAYMENT.scr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe"	PROOF OF PAYMENT.scr.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

PROOF OF PAYMENT.scr.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.scr.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PROOF OF PAYMENT.scr.exe

description pid process target process

PID 1996 set thread context of 2616 1996 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PROOF OF PAYMENT.scr.exe

description	pid	process	target process
PID 1996 set thread context of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe

Drops file in Program Files directory 2 IoCs

Processes:

PROOF OF PAYMENT.scr.exe

description	ioc	process
File created	C:\Program Files (x86)\NAS Host\nashost.exe	PROOF OF PAYMENT.scr.exe
File opened for modification	C:\Program Files (x86)\NAS Host\nashost.exe	PROOF OF PAYMENT.scr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2924 schtasks.exe

pid	process
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

PROOF OF PAYMENT.scr.exepowershell.exepowershell.exePROOF OF PAYMENT.scr.exe

pid	process
1996	PROOF OF PAYMENT.scr.exe
1996	PROOF OF PAYMENT.scr.exe
1996	PROOF OF PAYMENT.scr.exe
2604	powershell.exe
2744	powershell.exe
1996	PROOF OF PAYMENT.scr.exe
1996	PROOF OF PAYMENT.scr.exe
2616	PROOF OF PAYMENT.scr.exe
2616	PROOF OF PAYMENT.scr.exe
2616	PROOF OF PAYMENT.scr.exe
2616	PROOF OF PAYMENT.scr.exe
2616	PROOF OF PAYMENT.scr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PROOF OF PAYMENT.scr.exe

pid process

2616 PROOF OF PAYMENT.scr.exe

pid	process
2616	PROOF OF PAYMENT.scr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PROOF OF PAYMENT.scr.exepowershell.exepowershell.exePROOF OF PAYMENT.scr.exe

description	pid	process
Token: SeDebugPrivilege	1996	PROOF OF PAYMENT.scr.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2616	PROOF OF PAYMENT.scr.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

PROOF OF PAYMENT.scr.exe

description	pid	process	target process
PID 1996 wrote to memory of 2744	1996	PROOF OF PAYMENT.scr.exe	powershell.exe
PID 1996 wrote to memory of 2744	1996	PROOF OF PAYMENT.scr.exe	powershell.exe
PID 1996 wrote to memory of 2744	1996	PROOF OF PAYMENT.scr.exe	powershell.exe
PID 1996 wrote to memory of 2744	1996	PROOF OF PAYMENT.scr.exe	powershell.exe
PID 1996 wrote to memory of 2604	1996	PROOF OF PAYMENT.scr.exe	powershell.exe
PID 1996 wrote to memory of 2604	1996	PROOF OF PAYMENT.scr.exe	powershell.exe
PID 1996 wrote to memory of 2604	1996	PROOF OF PAYMENT.scr.exe	powershell.exe
PID 1996 wrote to memory of 2604	1996	PROOF OF PAYMENT.scr.exe	powershell.exe
PID 1996 wrote to memory of 2924	1996	PROOF OF PAYMENT.scr.exe	schtasks.exe
PID 1996 wrote to memory of 2924	1996	PROOF OF PAYMENT.scr.exe	schtasks.exe
PID 1996 wrote to memory of 2924	1996	PROOF OF PAYMENT.scr.exe	schtasks.exe
PID 1996 wrote to memory of 2924	1996	PROOF OF PAYMENT.scr.exe	schtasks.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe
PID 1996 wrote to memory of 2616	1996	PROOF OF PAYMENT.scr.exe	PROOF OF PAYMENT.scr.exe

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67E7.tmp"
2⤵
- Creates scheduled task(s)
PID:2924

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp67E7.tmp
Filesize
1KB

MD5
38a146917c3db856f6cfb92638254203

SHA1
ad5a156d5d11521b965e6fd4daf8e3c3f6639df2

SHA256
5579fc46416a9c96e314fc29ca9ea0573baf67c9ef03736c045034fc2f8a51ff

SHA512
9f3e04177eb57e257734beb88073e49b9f68a9cfb224bc49e719429a84e383a673d5b4cc89b77e05d7cf9c5d7d2d3da29d4f9795d2b0a9e2f64ac7720314e84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5b637460fd5d21a96ae0b9188e1329bc

SHA1
3cd97a167d678e3655d3f94fa907214beb624990

SHA256
6aba57c66f61015ed321ab7912114390ae9a3d22649dfa4c64020edce799c159

SHA512
90af8086cbb7532947d13a362e14dc350bda42a127a7f070346be8734aee97ba46dcd6a3894d5488c07c0f47c0ae7f10825b86c17ff448349c5d6b47811bd7d3

Download Submit
memory/1996-3-0x0000000000760000-0x0000000000780000-memory.dmp

Filesize
128KB

Download
memory/1996-4-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/1996-5-0x0000000004CA0000-0x0000000004D1A000-memory.dmp

Filesize
488KB

Download
memory/1996-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/1996-1-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1996-39-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1996-0-0x0000000000D90000-0x0000000000E3C000-memory.dmp

Filesize
688KB

Download
memory/2604-25-0x000000006F430000-0x000000006F9DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-19-0x000000006F430000-0x000000006F9DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-46-0x000000006F430000-0x000000006F9DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-23-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2604-26-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2616-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-57-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

Filesize
56KB

Download
memory/2616-64-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/2616-63-0x0000000002260000-0x0000000002274000-memory.dmp

Filesize
80KB

Download
memory/2616-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-30-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-62-0x00000000048E0000-0x000000000490E000-memory.dmp

Filesize
184KB

Download
memory/2616-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-61-0x0000000002240000-0x000000000224E000-memory.dmp

Filesize
56KB

Download
memory/2616-40-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-41-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/2616-44-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2616-45-0x0000000000630000-0x000000000064E000-memory.dmp

Filesize
120KB

Download
memory/2616-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-60-0x0000000000D80000-0x0000000000D94000-memory.dmp

Filesize
80KB

Download
memory/2616-47-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/2616-50-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-52-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2616-53-0x0000000000840000-0x000000000085A000-memory.dmp

Filesize
104KB

Download
memory/2616-54-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/2616-55-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/2616-56-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2616-59-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2616-58-0x0000000000CB0000-0x0000000000CC4000-memory.dmp

Filesize
80KB

Download
memory/2744-24-0x000000006F430000-0x000000006F9DB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-48-0x000000006F430000-0x000000006F9DB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-22-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2744-21-0x000000006F430000-0x000000006F9DB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-28-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2744-27-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads