nanocore | 74415173fef1195daf0e6647e5e4e8817cfaecf72cb5f96707936bd175405b27

General

Target

Scan00223.exe
Size

1.2MB
MD5

5cdc2ba3ecb6b8b18d2ee2abacaa1eec
SHA1

af6e083f4bc6ea922ea86d2e5809945c2444d561
SHA256

e1cbe1e9e86779580e6a3b92e68d38d3fbeb40dc3b6f10e5bcdd1078ec87023e
SHA512

d7d67fcf0fbd2c5738c0c2a6e9771c8c8e53cb4ec265e4c0cbcfdd0474e758b11675589c4ff09124d1f104b8266aff062fab23d05055d2916eb1ed8865699f6b
SSDEEP

24576:OAHnh+eWsN3skA4RV1Hom2KXMmHasw4aCntfV0I5:5h+ZkldoPK8Yas3L

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.31.187:3000

Mutex

85b72eaa-435b-4ed4-afb0-2dc6909a8443

Attributes

activate_away_mode
true
backup_connection_host
185.244.31.187
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-11-25T09:02:14.508155636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3000
default_group
FEB
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
85b72eaa-435b-4ed4-afb0-2dc6909a8443
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.31.187
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Scan00223.exeBrowserSettingSync.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Scan00223.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BrowserSettingSync.exe

Executes dropped EXE 2 IoCs

Processes:

BrowserSettingSync.exeBrowserSettingSync.exe

pid process

4788 BrowserSettingSync.exe
5008 BrowserSettingSync.exe

pid	process
4788	BrowserSettingSync.exe
5008	BrowserSettingSync.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Scan00223.exeBrowserSettingSync.exe

description	pid	process	target process
PID 2712 set thread context of 2244	2712	Scan00223.exe	RegAsm.exe
PID 4788 set thread context of 4216	4788	BrowserSettingSync.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Subsystem\dpiss.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\DPI Subsystem\dpiss.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4696 schtasks.exe
3604 schtasks.exe
4444 schtasks.exe
4836 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RegAsm.exe

pid process

2244 RegAsm.exe
2244 RegAsm.exe
2244 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2244 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2244 RegAsm.exe

pid	process
4696	schtasks.exe
3604	schtasks.exe
4444	schtasks.exe
4836	schtasks.exe

pid	process
2244	RegAsm.exe
2244	RegAsm.exe
2244	RegAsm.exe

pid	process
2244	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2244	RegAsm.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Scan00223.exeRegAsm.exeBrowserSettingSync.exe

description	pid	process	target process
PID 2712 wrote to memory of 2244	2712	Scan00223.exe	RegAsm.exe
PID 2712 wrote to memory of 2244	2712	Scan00223.exe	RegAsm.exe
PID 2712 wrote to memory of 2244	2712	Scan00223.exe	RegAsm.exe
PID 2712 wrote to memory of 2244	2712	Scan00223.exe	RegAsm.exe
PID 2712 wrote to memory of 2244	2712	Scan00223.exe	RegAsm.exe
PID 2244 wrote to memory of 4696	2244	RegAsm.exe	schtasks.exe
PID 2244 wrote to memory of 4696	2244	RegAsm.exe	schtasks.exe
PID 2244 wrote to memory of 4696	2244	RegAsm.exe	schtasks.exe
PID 2244 wrote to memory of 3604	2244	RegAsm.exe	schtasks.exe
PID 2244 wrote to memory of 3604	2244	RegAsm.exe	schtasks.exe
PID 2244 wrote to memory of 3604	2244	RegAsm.exe	schtasks.exe
PID 2712 wrote to memory of 4444	2712	Scan00223.exe	schtasks.exe
PID 2712 wrote to memory of 4444	2712	Scan00223.exe	schtasks.exe
PID 2712 wrote to memory of 4444	2712	Scan00223.exe	schtasks.exe
PID 4788 wrote to memory of 4216	4788	BrowserSettingSync.exe	RegAsm.exe
PID 4788 wrote to memory of 4216	4788	BrowserSettingSync.exe	RegAsm.exe
PID 4788 wrote to memory of 4216	4788	BrowserSettingSync.exe	RegAsm.exe
PID 4788 wrote to memory of 4216	4788	BrowserSettingSync.exe	RegAsm.exe
PID 4788 wrote to memory of 4216	4788	BrowserSettingSync.exe	RegAsm.exe
PID 4788 wrote to memory of 4836	4788	BrowserSettingSync.exe	schtasks.exe
PID 4788 wrote to memory of 4836	4788	BrowserSettingSync.exe	schtasks.exe
PID 4788 wrote to memory of 4836	4788	BrowserSettingSync.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Scan00223.exe
"C:\Users\Admin\AppData\Local\Temp\Scan00223.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpECC1.tmp"
3⤵
- Creates scheduled task(s)
PID:4696

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpED20.tmp"
3⤵
- Creates scheduled task(s)
PID:3604

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn BluetoothDesktopHandlers /tr "C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4444

C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe
C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:4216

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn BluetoothDesktopHandlers /tr "C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4836

C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe
C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe
1⤵
- Executes dropped EXE
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpECC1.tmp
Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED20.tmp
Filesize
1KB

MD5
5fea24e883e06e4df6d240dc72abf2c5

SHA1
d778bf0f436141e02df4b421e8188abdcc9a84a4

SHA256
e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66

SHA512
15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

Download Submit
C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe
Filesize
1.2MB

MD5
a90fbc8481d48550684ab4b68871808a

SHA1
66e6cb6988cf465ab10076528e6d3f0a4a8bcf37

SHA256
c9e17403c588fa8eb5a11bcd34eb510244a482e27ee44db3168c8c0155efd970

SHA512
09770ae83453970da3dfc24f2929b8d922fbe988fecea53acd16ce4aba9303ed39a381614656e62e572b3fa0c5c9e0132f14d2675ad4816230cb3ccd7f1e8c4a

Download Submit
memory/2244-1-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2244-6-0x0000000073882000-0x0000000073883000-memory.dmp

Filesize
4KB

Download
memory/2244-7-0x0000000073880000-0x0000000073E31000-memory.dmp

Filesize
5.7MB

Download
memory/2244-8-0x0000000073880000-0x0000000073E31000-memory.dmp

Filesize
5.7MB

Download
memory/2244-18-0x0000000073882000-0x0000000073883000-memory.dmp

Filesize
4KB

Download
memory/2244-19-0x0000000073880000-0x0000000073E31000-memory.dmp

Filesize
5.7MB

Download
memory/2712-0-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads