nanocore | 14f41e52e85831bb42d9122b038fe76e86bc084e10636d086a4bd9f7f26abc97

General

Target

nje91q.zip
Size

632KB
MD5

f85c33dc9b710080b0691cb9170a0924
SHA1

a5ffe397ce816453a59992da2d545aefb53cdd23
SHA256

14f41e52e85831bb42d9122b038fe76e86bc084e10636d086a4bd9f7f26abc97
SHA512

ed126ca04306853ba28e298fe890829932406cc376c2460e5def5695b59bf79b9981222333d8a168af4c753603f6813a7533776324aa33f402369fc9ae928a76
SSDEEP

12288:rUwiC/+f9QM+Uug1e+12zqguO2zhnp7clY/3lqH98PM:4wv8QM+Uug132zRuO20lA4d8PM

Score

10^/10

nanocore execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

december2nd.ddns.net:65024

december2n.duckdns.org:65024

Mutex

2c009a56-c28c-48f4-8875-acf9e1222e9f

Attributes

activate_away_mode
false
backup_connection_host
december2n.duckdns.org
backup_dns_server
buffer_size
65535
build_time
2024-02-17T09:12:36.211032636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
65024
default_group
NO GREE
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2c009a56-c28c-48f4-8875-acf9e1222e9f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
december2nd.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1860 powershell.exe
2388 powershell.exe

pid	process
1860	powershell.exe
2388	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe"	RegSvcs.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

63HiIJrDNvEfDcl.exe

description pid process target process

PID 3008 set thread context of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe

description	pid	process	target process
PID 3008 set thread context of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Host\isshost.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\ISS Host\isshost.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2484 schtasks.exe
1992 schtasks.exe
2820 schtasks.exe

pid	process
2484	schtasks.exe
1992	schtasks.exe
2820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

63HiIJrDNvEfDcl.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
3008	63HiIJrDNvEfDcl.exe
3008	63HiIJrDNvEfDcl.exe
3008	63HiIJrDNvEfDcl.exe
3008	63HiIJrDNvEfDcl.exe
3008	63HiIJrDNvEfDcl.exe
3008	63HiIJrDNvEfDcl.exe
3008	63HiIJrDNvEfDcl.exe
2388	powershell.exe
1860	powershell.exe
1364	RegSvcs.exe
1364	RegSvcs.exe
1364	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

1364 RegSvcs.exe

pid	process
1364	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

63HiIJrDNvEfDcl.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3008	63HiIJrDNvEfDcl.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1364	RegSvcs.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

63HiIJrDNvEfDcl.exeRegSvcs.exe

description	pid	process	target process
PID 3008 wrote to memory of 1860	3008	63HiIJrDNvEfDcl.exe	powershell.exe
PID 3008 wrote to memory of 1860	3008	63HiIJrDNvEfDcl.exe	powershell.exe
PID 3008 wrote to memory of 1860	3008	63HiIJrDNvEfDcl.exe	powershell.exe
PID 3008 wrote to memory of 1860	3008	63HiIJrDNvEfDcl.exe	powershell.exe
PID 3008 wrote to memory of 2388	3008	63HiIJrDNvEfDcl.exe	powershell.exe
PID 3008 wrote to memory of 2388	3008	63HiIJrDNvEfDcl.exe	powershell.exe
PID 3008 wrote to memory of 2388	3008	63HiIJrDNvEfDcl.exe	powershell.exe
PID 3008 wrote to memory of 2388	3008	63HiIJrDNvEfDcl.exe	powershell.exe
PID 3008 wrote to memory of 2484	3008	63HiIJrDNvEfDcl.exe	schtasks.exe
PID 3008 wrote to memory of 2484	3008	63HiIJrDNvEfDcl.exe	schtasks.exe
PID 3008 wrote to memory of 2484	3008	63HiIJrDNvEfDcl.exe	schtasks.exe
PID 3008 wrote to memory of 2484	3008	63HiIJrDNvEfDcl.exe	schtasks.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 3008 wrote to memory of 1364	3008	63HiIJrDNvEfDcl.exe	RegSvcs.exe
PID 1364 wrote to memory of 1992	1364	RegSvcs.exe	schtasks.exe
PID 1364 wrote to memory of 1992	1364	RegSvcs.exe	schtasks.exe
PID 1364 wrote to memory of 1992	1364	RegSvcs.exe	schtasks.exe
PID 1364 wrote to memory of 1992	1364	RegSvcs.exe	schtasks.exe
PID 1364 wrote to memory of 2820	1364	RegSvcs.exe	schtasks.exe
PID 1364 wrote to memory of 2820	1364	RegSvcs.exe	schtasks.exe
PID 1364 wrote to memory of 2820	1364	RegSvcs.exe	schtasks.exe
PID 1364 wrote to memory of 2820	1364	RegSvcs.exe	schtasks.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\nje91q.zip
1⤵
PID:2168

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2324

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2608

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\Temp1_nje91q.zip\63HiIJrDNvEfDcl.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_nje91q.zip\63HiIJrDNvEfDcl.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Temp1_nje91q.zip\63HiIJrDNvEfDcl.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vrwJUPrQkQA.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrwJUPrQkQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp"
2⤵
- Creates scheduled task(s)
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7E83.tmp"
3⤵
- Creates scheduled task(s)
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7EF1.tmp"
3⤵
- Creates scheduled task(s)
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp
Filesize
1KB

MD5
7c9a9c83ac0ae2abd4053fb4f16c0a76

SHA1
67ffcb1749a038ee73e689d87b19b23d0ef3104d

SHA256
abd07821d0f2f75bdf03a69be00e36cf9e2957892e08796c499ab0c7bccf65d2

SHA512
4a5bd41f8eacd4529a5c766cdd6450fcd2a9626910769086e659845775970e7eeb2ce227f8f02f3431b5c8b226f2b0f8e58a5a1a0d8293e6c52f320b13e875f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E83.tmp
Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EF1.tmp
Filesize
1KB

MD5
3d1580c0395f6de62659467f5b7f1acf

SHA1
8e73a3885896cecca7ff799a272fc9ddfe06ea96

SHA256
6f40196c42a171f24a3e16edeca664cdc5a2f7c150d468255b0e14ab10a2b714

SHA512
7637c0d9b03227dffcb00a68d97ddce60bfc40ca0f8a7a4bbd700ea56be6d570908511dea5cab9f609a7da2e558e5298c482fd1e330af085f9c52867d5a847ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3T0WR6IBHYQ412XI7P5T.temp
Filesize
7KB

MD5
ddf579040018c49f1d915cf2d062b8cb

SHA1
c69daa8b8bf88ecd361b3e05f9b073d0dcf7bd73

SHA256
665476cf6da09d9423f309df2091aa30db3d55f27fa5c04edc662dbb337ca945

SHA512
2f6c6ad057dcff7fa82bbfcdccab233a74dd8901d09d40b1d7d4666b23995991fef89487efd11421435d9d93ca57e8f83b82380cea2015a987684473c4e71f0a

Download Submit
memory/1364-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1364-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-39-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/1364-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-26-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-38-0x0000000000970000-0x000000000098E000-memory.dmp

Filesize
120KB

Download
memory/1364-37-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1364-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-36-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/3008-1-0x0000000000BA0000-0x0000000000BBE000-memory.dmp

Filesize
120KB

Download
memory/3008-2-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/3008-0-0x0000000000EF0000-0x0000000000F9C000-memory.dmp

Filesize
688KB

Download
memory/3008-3-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/3008-4-0x0000000005D60000-0x0000000005DDC000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads