General
-
Target
NanoCore.zip
-
Size
3.0MB
-
Sample
240526-vk7nrade4s
-
MD5
6c0a9ed900116384af83c62988a9d606
-
SHA1
953d2fc14cee6fc7413717e0a6fce207a07e0934
-
SHA256
998d98fbca6ae5d844debade10eeb73f58dbbf9f0f47eeffa0c05fcaa0dffb55
-
SHA512
7356b0352202511e5cca101ba24f236c440f199f5e0fdb8196058327586ee465f2f350481353ea425e5178045bc0dd726b98bfdec91ec29d4f2bf2116d0b2a34
-
SSDEEP
98304:VoVRBHc5IRPp3YaqGdtiWiSP2Tnlgcb5+B68n+PsGbMb:VKliBG/P2Tnl/tMrb
Behavioral task
behavioral1
Sample
NanoCore/NanoCore.exe
Resource
win7-20231129-en
Malware Config
Extracted
darkcomet
IDMAN
arrivals.ddns.net:2323
DC_MUTEX-391X2ZJ
-
InstallPath
MSDCSC\IDMAN.exe
-
gencode
CUWbhGwmWBMb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
IDMAN
Targets
-
-
Target
NanoCore/NanoCore.exe
-
Size
1.1MB
-
MD5
e4aeb7b31d677a5a9a58a4762fab1321
-
SHA1
a5e7279b6d59236296031ff87976e33fbd8cf34d
-
SHA256
1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915
-
SHA512
964dda5030a54493aeebb8b478a76ccd98456184224332e66d5b693d311c83da11c360355c8d73e539ebc7b6ed0d0d2e78f65eef0f75d48c64a63cf10411e1fa
-
SSDEEP
24576:sdZ1xuVVjfFoynPaVBUR8f+kN10EBIQXiClSI5tIkjh:snQDgok30Edb
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1