nanocore | d51eb6b4f29baee5535b5fbb4956778a6d29124dc430ff754dc5fa0710ca9f30

General

Target

NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
Size

393KB
MD5

137010e7e4327989c8470a609fc1ac22
SHA1

1223c4aaf752e981d905e52158deec8de50b9e63
SHA256

46eb859b89dd55d98d539f49e1cf843a5fa4da648aad21490b0a4c0dfbb0a15b
SHA512

b913a845b274d90206dcaf31843281611882b74428101c1e74141013b0d8d9dae132ab7b4a6d84aa4f18c639a635431298f56ca40d9d4572511f53b14feab3e5
SSDEEP

6144:QKikPFRfxMnQcBJjixiYiVqZ6Yb9s0sRFJ47nVQoSt:UkP3WjYpZYYK0OF27nVQ

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.158.139.164:1985

127.0.0.1:1985

Mutex

6aa6fff8-65a4-458a-93ce-2335bfa3d428

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-04-14T19:50:56.724742636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1985
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6aa6fff8-65a4-458a-93ce-2335bfa3d428
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.158.139.164
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTE.url	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.exe

description pid process target process

PID 4652 set thread context of 1296 4652 NEWQUOTATION#83738_071618sampleproduction_xlxs.exe RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

description	pid	process	target process
PID 4652 set thread context of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Monitor\lanmon.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\LAN Monitor\lanmon.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3788 schtasks.exe
1576 schtasks.exe

pid	process
3788	schtasks.exe
1576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.exeRegAsm.exe

pid	process
4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
1296	RegAsm.exe
1296	RegAsm.exe
1296	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1296 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 4652 NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
Token: SeDebugPrivilege 1296 RegAsm.exe

pid	process
1296	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
Token: SeDebugPrivilege	1296	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEWQUOTATION#83738_071618sampleproduction_xlxs.execsc.exeRegAsm.exe

description	pid	process	target process
PID 4652 wrote to memory of 3980	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	csc.exe
PID 4652 wrote to memory of 3980	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	csc.exe
PID 4652 wrote to memory of 3980	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	csc.exe
PID 3980 wrote to memory of 1948	3980	csc.exe	cvtres.exe
PID 3980 wrote to memory of 1948	3980	csc.exe	cvtres.exe
PID 3980 wrote to memory of 1948	3980	csc.exe	cvtres.exe
PID 4652 wrote to memory of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 4652 wrote to memory of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 4652 wrote to memory of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 4652 wrote to memory of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 4652 wrote to memory of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 4652 wrote to memory of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 4652 wrote to memory of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 4652 wrote to memory of 1296	4652	NEWQUOTATION#83738_071618sampleproduction_xlxs.exe	RegAsm.exe
PID 1296 wrote to memory of 1576	1296	RegAsm.exe	schtasks.exe
PID 1296 wrote to memory of 1576	1296	RegAsm.exe	schtasks.exe
PID 1296 wrote to memory of 1576	1296	RegAsm.exe	schtasks.exe
PID 1296 wrote to memory of 3788	1296	RegAsm.exe	schtasks.exe
PID 1296 wrote to memory of 3788	1296	RegAsm.exe	schtasks.exe
PID 1296 wrote to memory of 3788	1296	RegAsm.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\NEWQUOTATION#83738_071618sampleproduction_xlxs.exe
"C:\Users\Admin\AppData\Local\Temp\NEWQUOTATION#83738_071618sampleproduction_xlxs.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\035ru3zb\035ru3zb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65BF.tmp" "c:\Users\Admin\AppData\Local\Temp\035ru3zb\CSC50FFEB45F4FB48A595C7BD5EBC65111.TMP"
3⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6ADF.tmp"
3⤵
- Creates scheduled task(s)
PID:1576

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6B3E.tmp"
3⤵
- Creates scheduled task(s)
PID:3788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\035ru3zb\035ru3zb.dll
Filesize
6KB

MD5
e8128d8e52c1d66e730780063aa6782e

SHA1
9db49d53f6bd7d8e409e0249e96612cdc0d8eb22

SHA256
701d74af2c3f18cb09aa5ef67e9284cbc84f1ae1d391a155eef9097f19af7145

SHA512
4371a6a98ed30062d6944683d7293057b4c82b5c56157654a6ea084beec94ee1448c627c43a87a95aa84479ddc11c13b164dc4211d304c514dfa6747e5a7ad59

Download Submit
C:\Users\Admin\AppData\Local\Temp\035ru3zb\035ru3zb.pdb
Filesize
17KB

MD5
ebf2cbb35b78e3ebf7b3e49abc23eecf

SHA1
743fcaba068a9c7223175d047bd973ae76bda0dd

SHA256
84390dff136746560a12966b6f98029b45f31227217de8a2a45ae3c4a65d585a

SHA512
3f6a633195127095358af49c12ea107bc9c0e15b450c7a70e625d726fe7ac83bf99aa4ca921eede3ecf1d14115599c90b464e526749dcbaccab31b5a4e6bea86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65BF.tmp
Filesize
1KB

MD5
4e4841db62dcc099f6b9f431f6af48a0

SHA1
22f1bc1b1715cdbdd88f39dd3ac59ef5d5389e58

SHA256
45ebd34caf0b3d73808fd4e427d99d8866a59ff0ed575050118e116b6708f6a5

SHA512
059c2f4e1a5841aeb8cf4bc9296eac79ed4d5e26e99f13f0e3760a18b56707947349939492814ca001b04bf7d759b0ae49018eb033708ff0d7cc67d08c406651

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6ADF.tmp
Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B3E.tmp
Filesize
1KB

MD5
ecf141ec69adbb2a5c3dd5c85cd0ec39

SHA1
0ad224632fa58d103142c05c44a142f3d7208291

SHA256
64d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316

SHA512
4821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\035ru3zb\035ru3zb.0.cs
Filesize
3KB

MD5
9e8480c77275c6a94d741fa8e9574059

SHA1
39b1ecaf733018a5664a2a1d1a4f8679f1d72b43

SHA256
7dbeac16207fb4f60ccbb2db45dba7e4c230c8ce8ab7366267481e002679d9a4

SHA512
57284b82dbf9c639679321434893e05b1afdcb0edfe06b58e5b1da1e94123e2a16c04d863d4a604b9930289a0e74883991ef445d7f2d09d7c1884dfe72b7d7ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\035ru3zb\035ru3zb.cmdline
Filesize
312B

MD5
f0225978d6f871ec99bcd794f54f9f6b

SHA1
37a74354462fae429934f4ac23267fed7909e463

SHA256
06a095b6f8a4f24475981d7f8b2f1a26d968a0419a7887b2332b82744d92070c

SHA512
dc22a2e088639a3e20bcffb0342ce0227dee7c13d8de1776da1a39beccedf472f57fa080e8dbbe31aadddbe6803e4f39f0c34f612137418db98cb8273ad87a09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\035ru3zb\CSC50FFEB45F4FB48A595C7BD5EBC65111.TMP
Filesize
1KB

MD5
8825b361c7b99a983ad207145aab83b7

SHA1
ddc1d74f44f7e344b922a402b17ecc7d49fce58e

SHA256
26cb817d5a48bc24f6d7fe7ff0a0634ab21ee4523108d1ea237b1bb39decc56b

SHA512
3af1f64b5430b4ea4872f05437c2e7a4a8f39ac7f28c98d9f652d46c3b53aec85ed9e00464018ce32cc0f7b13cefe4182ba9ab12945b5a772d879ba1b0764443

Download Submit
memory/1296-29-0x00000000754E0000-0x0000000075A91000-memory.dmp

Filesize
5.7MB

Download
memory/1296-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1296-40-0x00000000754E0000-0x0000000075A91000-memory.dmp

Filesize
5.7MB

Download
memory/1296-39-0x00000000754E0000-0x0000000075A91000-memory.dmp

Filesize
5.7MB

Download
memory/1296-38-0x00000000754E2000-0x00000000754E3000-memory.dmp

Filesize
4KB

Download
memory/1296-30-0x00000000754E0000-0x0000000075A91000-memory.dmp

Filesize
5.7MB

Download
memory/1296-28-0x00000000754E2000-0x00000000754E3000-memory.dmp

Filesize
4KB

Download
memory/4652-23-0x0000000005970000-0x00000000059A8000-memory.dmp

Filesize
224KB

Download
memory/4652-27-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4652-24-0x0000000005E70000-0x0000000005F0C000-memory.dmp

Filesize
624KB

Download
memory/4652-0-0x00000000752FE000-0x00000000752FF000-memory.dmp

Filesize
4KB

Download
memory/4652-17-0x00000000018D0000-0x00000000018D8000-memory.dmp

Filesize
32KB

Download
memory/4652-6-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4652-1-0x0000000000DC0000-0x0000000000E2A000-memory.dmp

Filesize
424KB

Download
memory/4652-21-0x00000000057C0000-0x00000000057CC000-memory.dmp

Filesize
48KB

Download
memory/4652-20-0x0000000005930000-0x0000000005974000-memory.dmp

Filesize
272KB

Download
memory/4652-19-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads