nanocore | 505d76702345bc95a07e30c9d7c57bb700e98124141d14b336e8d5c5e3e5c296

General

Target

holf.exe
Size

884KB
MD5

912d6c88f475bb275629201d52ae0ae6
SHA1

3e64f86e98787997c98b98039bb491fa613e79cc
SHA256

6b8e10fb6b6aa647c8c0ba181184d950e9f47ca6753213fc96b1b3ec18409f93
SHA512

c8362c522e556166cc018800f721c8c4c3067d51209063f91424fbaf249b36441fc69e2556ee9b94cb7c0a6eee82d51b6105c3fa1a8148a98446e1a7e368d254
SSDEEP

24576:rmoO8itEqfZng7cw8lSQzuQM9saXICbmyX97i:qvZScwKSQzrM9ZzfN7i

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

cboss33.hopto.org:4722

Mutex

f934e45a-6528-4b96-bd96-79fd13c4fe12

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2018-07-05T13:16:32.309254436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
4722
default_group
Dollar
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f934e45a-6528-4b96-bd96-79fd13c4fe12
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
cboss33.hopto.org
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

excel.sfx.exeexcel.exe

pid process

2664 excel.sfx.exe
2332 excel.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exeexcel.sfx.exe

pid process

2628 cmd.exe
2664 excel.sfx.exe
2664 excel.sfx.exe
2664 excel.sfx.exe
2664 excel.sfx.exe

pid	process
2664	excel.sfx.exe
2332	excel.exe

pid	process
2628	cmd.exe
2664	excel.sfx.exe
2664	excel.sfx.exe
2664	excel.sfx.exe
2664	excel.sfx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

excel.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files\\ARP Host\\arphost.exe"	excel.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

excel.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA excel.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	excel.exe

Drops file in Program Files directory 2 IoCs

Processes:

excel.exe

description	ioc	process
File created	C:\Program Files\ARP Host\arphost.exe	excel.exe
File opened for modification	C:\Program Files\ARP Host\arphost.exe	excel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

excel.exe

pid process

2332 excel.exe
2332 excel.exe
2332 excel.exe
2332 excel.exe
2332 excel.exe
2332 excel.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

excel.exe

pid process

2332 excel.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

excel.exe

description pid process

Token: SeDebugPrivilege 2332 excel.exe

pid	process
2332	excel.exe
2332	excel.exe
2332	excel.exe
2332	excel.exe
2332	excel.exe
2332	excel.exe

pid	process
2332	excel.exe

description	pid	process
Token: SeDebugPrivilege	2332	excel.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

holf.execmd.exeexcel.sfx.exe

description	pid	process	target process
PID 1776 wrote to memory of 2628	1776	holf.exe	cmd.exe
PID 1776 wrote to memory of 2628	1776	holf.exe	cmd.exe
PID 1776 wrote to memory of 2628	1776	holf.exe	cmd.exe
PID 1776 wrote to memory of 2628	1776	holf.exe	cmd.exe
PID 2628 wrote to memory of 2664	2628	cmd.exe	excel.sfx.exe
PID 2628 wrote to memory of 2664	2628	cmd.exe	excel.sfx.exe
PID 2628 wrote to memory of 2664	2628	cmd.exe	excel.sfx.exe
PID 2628 wrote to memory of 2664	2628	cmd.exe	excel.sfx.exe
PID 2664 wrote to memory of 2332	2664	excel.sfx.exe	excel.exe
PID 2664 wrote to memory of 2332	2664	excel.sfx.exe	excel.exe
PID 2664 wrote to memory of 2332	2664	excel.sfx.exe	excel.exe
PID 2664 wrote to memory of 2332	2664	excel.sfx.exe	excel.exe

C:\Users\Admin\AppData\Local\Temp\holf.exe
"C:\Users\Admin\AppData\Local\Temp\holf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdd.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\RarSFX0\excel.sfx.exe
excel.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdd.bat
Filesize
28B

MD5
f0b6f875f327f542118e2416f8259a13

SHA1
3edb59643d2be4f440aa9216c1a4ec52a972b8de

SHA256
48b03ca255d2246d388cce7df6cf578303485d5acfe53e9ca7038ff518a3be01

SHA512
f3a0191c5d34fa0771e6ad053a046a3b3d0cec5f61a82281bffe309258d74599534afbd814bb397b619e6033e59b2dc372112cbbcb92cb6ecfd74ce4481bb2ad

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\excel.sfx.exe
Filesize
757KB

MD5
a0b5f08cd959d1e068179e1d6889710f

SHA1
e26ac168101697f1660990cfacbad48da4225e04

SHA256
e9b5abcd2b8ea76a1e8632156689bd234ddfb0b5be2674b72a17be5b62dcebe2

SHA512
7dad1ac11f01c2ed7982f79e891a5b7f07daf6ec126a7a04e0b67681ec08c136f260bdf88e71e319a7285efb4c5fec902c00d5801e7b606e7334c2d4ac5b7aa9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe
Filesize
552KB

MD5
3a8ea73b34b33345474770c83cc825ae

SHA1
d50ce020098b23149d354ee1c4e6ed742ace11fd

SHA256
2b0196abbdb448cdde45f9bc9bce3c879f39ff3783ce375a7a6a1ce4130025f1

SHA512
9cbdb8c16fb4595c44434351ae4df8bbbb137dce51e041df8fdbfee031a199d040e6385ea8b93421908b46799a52fbda660ff08f457f536bd511957c5a22b145

Download Submit
memory/2332-39-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/2332-40-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2332-41-0x0000000000B80000-0x0000000000B9A000-memory.dmp

Filesize
104KB

Download
memory/2332-43-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2332-42-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/2332-46-0x0000000002290000-0x00000000022A4000-memory.dmp

Filesize
80KB

Download
memory/2332-45-0x0000000002280000-0x000000000228E000-memory.dmp

Filesize
56KB

Download
memory/2332-44-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2332-47-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2332-48-0x00000000022B0000-0x00000000022C4000-memory.dmp

Filesize
80KB

Download
memory/2332-49-0x00000000022C0000-0x00000000022CE000-memory.dmp

Filesize
56KB

Download
memory/2332-50-0x000000001AFE0000-0x000000001AFFE000-memory.dmp

Filesize
120KB

Download
memory/2332-51-0x000000001B100000-0x000000001B10A000-memory.dmp

Filesize
40KB

Download
memory/2332-52-0x000000001B110000-0x000000001B13E000-memory.dmp

Filesize
184KB

Download
memory/2332-53-0x0000000000B70000-0x0000000000B84000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads