nanocore | d51eb6b4f29baee5535b5fbb4956778a6d29124dc430ff754dc5fa0710ca9f30

General

Target

NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
Size

393KB
MD5

137010e7e4327989c8470a609fc1ac22
SHA1

1223c4aaf752e981d905e52158deec8de50b9e63
SHA256

46eb859b89dd55d98d539f49e1cf843a5fa4da648aad21490b0a4c0dfbb0a15b
SHA512

b913a845b274d90206dcaf31843281611882b74428101c1e74141013b0d8d9dae132ab7b4a6d84aa4f18c639a635431298f56ca40d9d4572511f53b14feab3e5
SSDEEP

6144:QKikPFRfxMnQcBJjixiYiVqZ6Yb9s0sRFJ47nVQoSt:UkP3WjYpZYYK0OF27nVQ

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.158.139.164:1985

127.0.0.1:1985

Mutex

6aa6fff8-65a4-458a-93ce-2335bfa3d428

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-04-14T19:50:56.724742636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1985
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6aa6fff8-65a4-458a-93ce-2335bfa3d428
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.158.139.164
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTE.url	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.exe

description pid process target process

PID 3000 set thread context of 2948 3000 NEWQUOTATION#83738_071618sampleproduction_xlxs.exe RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

description	pid	process	target process
PID 3000 set thread context of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Service\lansv.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\LAN Service\lansv.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2540 schtasks.exe
2688 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.exeRegAsm.exe

pid process

3000 NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
3000 NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
2948 RegAsm.exe
2948 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2948 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3000 NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
Token: SeDebugPrivilege 2948 RegAsm.exe

pid	process
2540	schtasks.exe
2688	schtasks.exe

pid	process
3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
2948	RegAsm.exe
2948	RegAsm.exe

pid	process
2948	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
Token: SeDebugPrivilege	2948	RegAsm.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.execsc.exeRegAsm.exe

description	pid	process	target process
PID 3000 wrote to memory of 2388	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	csc.exe
PID 3000 wrote to memory of 2388	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	csc.exe
PID 3000 wrote to memory of 2388	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	csc.exe
PID 3000 wrote to memory of 2388	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	csc.exe
PID 2388 wrote to memory of 2624	2388	csc.exe	cvtres.exe
PID 2388 wrote to memory of 2624	2388	csc.exe	cvtres.exe
PID 2388 wrote to memory of 2624	2388	csc.exe	cvtres.exe
PID 2388 wrote to memory of 2624	2388	csc.exe	cvtres.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 3000 wrote to memory of 2948	3000	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 2948 wrote to memory of 2540	2948	RegAsm.exe	schtasks.exe
PID 2948 wrote to memory of 2540	2948	RegAsm.exe	schtasks.exe
PID 2948 wrote to memory of 2540	2948	RegAsm.exe	schtasks.exe
PID 2948 wrote to memory of 2540	2948	RegAsm.exe	schtasks.exe
PID 2948 wrote to memory of 2688	2948	RegAsm.exe	schtasks.exe
PID 2948 wrote to memory of 2688	2948	RegAsm.exe	schtasks.exe
PID 2948 wrote to memory of 2688	2948	RegAsm.exe	schtasks.exe
PID 2948 wrote to memory of 2688	2948	RegAsm.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
"C:\Users\Admin\AppData\Local\Temp\NEWQUOTATION#83738_071618sampleproduction_xlxs.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0p3snfct\0p3snfct.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BD1.tmp" "c:\Users\Admin\AppData\Local\Temp\0p3snfct\CSC53480A00C1AD449A9FE7D6EF675A5822.TMP"
3⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2F0C.tmp"
3⤵
- Creates scheduled task(s)
PID:2540

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FC8.tmp"
3⤵
- Creates scheduled task(s)
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0p3snfct\0p3snfct.dll
Filesize
6KB

MD5
a1862207559c00736416fafb122ed464

SHA1
b81d102d2fe3ae34f917870a7b9c0e14c8698aa9

SHA256
0b7ef0288442d6557d29b50bcf6011165b4ab8e6b0e8ae98cf54bf209aa62b92

SHA512
f11d6917339a2eb63816da03329b134125946249ae09a3e139ef2ce7cfd7c3d9b5720d4db0bd75c35036a46668b6926b2b7a30b18c1d0e8a8ff8de38bd646196

Download Submit
C:\Users\Admin\AppData\Local\Temp\0p3snfct\0p3snfct.pdb
Filesize
17KB

MD5
8b123a587dfbe873caa2b7d4b62f60d4

SHA1
4e7a3460552286511b9f426dd666b3496174d54c

SHA256
8336a30a37a99f27401f5aba63590358d8246e236605d9ad6ee382203fda1e06

SHA512
86096a616e78b7fb1c7b6f4d107bb8f0fa8e73c53e4251f1f3764b9941de43b25a9100ea204678f38db24542b4f180d056d7d1a6ba93f1eccf537c0c25ec8f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2BD1.tmp
Filesize
1KB

MD5
38e2dbd89b7bfd7dbca513db5d65aed1

SHA1
763158583b0b769d668792291306f13c503c9a48

SHA256
6c79981fce21689ce2a2935cd828b021a889d78bce15887067ab2635dc10de48

SHA512
a47d30f3a451efed778e2b60bc33a35121674c36a497b99f8d92f0f34045cf00df45f3844d7658fee0f2dfaee019489c9716fc5fbf3978bb934a61906457d5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F0C.tmp
Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FC8.tmp
Filesize
1KB

MD5
6b30dba7972c92c9a1b881e88c108b15

SHA1
f76207985cc5a1f70edb2fb5bd45678f195a4564

SHA256
578f5b0ff051f02f8e0a67fc3424dad554fa9489875475ea624fbb63eabfcbf7

SHA512
e3dd368937f863cb07453de12173580fb63b8d3983db7119c24860f227c89ded76401c47607f5b1134d215d46fe2b40d4bc3d7299374f1e8abecdeaefc7b9099

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p3snfct\0p3snfct.0.cs
Filesize
3KB

MD5
9e8480c77275c6a94d741fa8e9574059

SHA1
39b1ecaf733018a5664a2a1d1a4f8679f1d72b43

SHA256
7dbeac16207fb4f60ccbb2db45dba7e4c230c8ce8ab7366267481e002679d9a4

SHA512
57284b82dbf9c639679321434893e05b1afdcb0edfe06b58e5b1da1e94123e2a16c04d863d4a604b9930289a0e74883991ef445d7f2d09d7c1884dfe72b7d7ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p3snfct\0p3snfct.cmdline
Filesize
312B

MD5
4d23cb36dd5238ac7daa5836f00bb992

SHA1
7484db2b4299df13322c88b760731d6edc66ec2d

SHA256
baa787237b2034bb73fcfc3895fffd0e69b9190fc9a77f462deb8ad0017f01d1

SHA512
7470e6979ad9d62fd4682b92aadfdfea064fa6319d16cfaba3c6b16239cdeaed7cca77fd8318f42ebc0fb9b47396d46d696e8feb01246a11345cd06c5fe7c604

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p3snfct\CSC53480A00C1AD449A9FE7D6EF675A5822.TMP
Filesize
1KB

MD5
362d4862a163cce767f1472b2f594dc6

SHA1
dbce612de59efcbb78b3a3327a8c34901abf81d8

SHA256
e46a23ce4667f41aaacb417354fb11568c1bf4dc13e5da484c053e425eb3dcb6

SHA512
87556e9d7db1526fe247f9f72402cfc27a5ad19b2ab01bea991923f682b9fc4291fd22d69e4f1d547d25995acb6fd0628e1e0a967958547449b9f9a6953fd390

Download Submit
memory/2948-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2948-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2948-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2948-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2948-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2948-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2948-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2948-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3000-22-0x00000000008C0000-0x00000000008F8000-memory.dmp

Filesize
224KB

Download
memory/3000-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/3000-34-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-20-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/3000-19-0x0000000000790000-0x00000000007D4000-memory.dmp

Filesize
272KB

Download
memory/3000-17-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/3000-5-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-1-0x0000000000290000-0x00000000002FA000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads