nanocore | c1cc33f19fb3da6f12b1850e32747092446568f4c5c4417ab4f87497f3e71ffc

General

Target

First quater purchase quotation request/FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe
Size

368KB
MD5

09797cdd39ac8e04e9f06ebbea8d6080
SHA1

7aec84b16f1b53b460a20060a2ec56342da78217
SHA256

5ab18122ba5fd805583d4723e2099b87a8999206b79a933a5d071e955e224c5e
SHA512

b89d497b7c72a4888ba5c9b6743c0759a5253c1c764b7441fafa26585cf9e3a0b9ccc22d86b958f50f640ba47194f84d43053bdba49f907c88daac28a9baf70d
SSDEEP

6144:aiC4cGH9KHku2PHGz5j83UgJgGXjQDmjWzb1qY4xJDFssSNGKb1UugFmRj:aiC4V1uMI5jn4g2j1mb1cJ2lNGKb1F

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

officewkgrace.ddns.net:17084

212.7.208.100:17084

Mutex

0037a82e-4499-413e-b334-92da53e56ece

Attributes

activate_away_mode
true
backup_connection_host
212.7.208.100
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-10-14T11:37:36.306932336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
17084
default_group
psm 93
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0037a82e-4499-413e-b334-92da53e56ece
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
officewkgrace.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

wordapp.exewordapp.exe

pid process

2220 wordapp.exe
1652 wordapp.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2540 cmd.exe

pid	process
2220	wordapp.exe
1652	wordapp.exe

pid	process
2540	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wordapp.exewordapp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wordApplication = "C:\\Users\\Admin\\AppData\\Local\\wordapp.exe -boot"	wordapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe"	wordapp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

wordapp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wordapp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wordapp.exe

description pid process target process

PID 2220 set thread context of 1652 2220 wordapp.exe wordapp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wordapp.exe

description	pid	process	target process
PID 2220 set thread context of 1652	2220	wordapp.exe	wordapp.exe

Drops file in Program Files directory 2 IoCs

Processes:

wordapp.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Host\arphost.exe	wordapp.exe
File opened for modification	C:\Program Files (x86)\ARP Host\arphost.exe	wordapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

548 schtasks.exe
1724 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wordapp.exe

pid process

1652 wordapp.exe
1652 wordapp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wordapp.exe

pid process

1652 wordapp.exe

pid	process
548	schtasks.exe
1724	schtasks.exe

pid	process
1652	wordapp.exe
1652	wordapp.exe

pid	process
1652	wordapp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exewordapp.exewordapp.exe

description	pid	process
Token: SeDebugPrivilege	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe
Token: SeDebugPrivilege	2220	wordapp.exe
Token: SeDebugPrivilege	1652	wordapp.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.execmd.exewordapp.exewordapp.exe

description	pid	process	target process
PID 2444 wrote to memory of 2412	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2444 wrote to memory of 2412	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2444 wrote to memory of 2412	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2444 wrote to memory of 2412	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2444 wrote to memory of 2540	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2444 wrote to memory of 2540	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2444 wrote to memory of 2540	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2444 wrote to memory of 2540	2444	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2540 wrote to memory of 2220	2540	cmd.exe	wordapp.exe
PID 2540 wrote to memory of 2220	2540	cmd.exe	wordapp.exe
PID 2540 wrote to memory of 2220	2540	cmd.exe	wordapp.exe
PID 2540 wrote to memory of 2220	2540	cmd.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 2220 wrote to memory of 1652	2220	wordapp.exe	wordapp.exe
PID 1652 wrote to memory of 548	1652	wordapp.exe	schtasks.exe
PID 1652 wrote to memory of 548	1652	wordapp.exe	schtasks.exe
PID 1652 wrote to memory of 548	1652	wordapp.exe	schtasks.exe
PID 1652 wrote to memory of 548	1652	wordapp.exe	schtasks.exe
PID 1652 wrote to memory of 1724	1652	wordapp.exe	schtasks.exe
PID 1652 wrote to memory of 1724	1652	wordapp.exe	schtasks.exe
PID 1652 wrote to memory of 1724	1652	wordapp.exe	schtasks.exe
PID 1652 wrote to memory of 1724	1652	wordapp.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe
"C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe" "C:\Users\Admin\AppData\Local\wordapp.exe"
2⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\wordapp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\wordapp.exe
"C:\Users\Admin\AppData\Local\wordapp.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\wordapp.exe
"C:\Users\Admin\AppData\Local\wordapp.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp849B.tmp"
5⤵
- Creates scheduled task(s)
PID:548

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8518.tmp"
5⤵
- Creates scheduled task(s)
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp849B.tmp
Filesize
1KB

MD5
db22af35d8ec778d087a5a134b54dfde

SHA1
cd57666e2ada94016032b967984c4f65beed0dab

SHA256
2530403cf3fcc489695ab50e1871bd71ac477bd11129049c5f8bc36cc0bf20e9

SHA512
6e3153e50fa887959ae5c0b76d0e042da12cd4f94c0f0d334a2c49d2f45bf6ff38364f51c895e2f0f2a4f8287356c4be262bddee3a0c4d276eecd8fe048bc4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8518.tmp
Filesize
1KB

MD5
447ab194ab36cb1d20078d80e502b1b2

SHA1
a947b3b2c91d7c50bb8d39bd4fc91a0d0cc5b1c0

SHA256
8d5304b20b7d7dea223ce2738e5668054250d57bf6bed86b305b69924bd472f5

SHA512
49ddc557f7f6635627eea9bf0fa12a14b7b13edb235ed560ee0044a7f87fe27b686ff878d347d0273d92eb0b318b8c2bca85c0fbf42d586ed7d7da39eac6a327

Download Submit
\Users\Admin\AppData\Local\wordapp.exe
Filesize
368KB

MD5
09797cdd39ac8e04e9f06ebbea8d6080

SHA1
7aec84b16f1b53b460a20060a2ec56342da78217

SHA256
5ab18122ba5fd805583d4723e2099b87a8999206b79a933a5d071e955e224c5e

SHA512
b89d497b7c72a4888ba5c9b6743c0759a5253c1c764b7441fafa26585cf9e3a0b9ccc22d86b958f50f640ba47194f84d43053bdba49f907c88daac28a9baf70d

Download Submit
memory/1652-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-37-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/1652-36-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/1652-35-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/1652-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2220-14-0x0000000000B40000-0x0000000000BA4000-memory.dmp

Filesize
400KB

Download
memory/2444-13-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-4-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-3-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2444-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

Filesize
4KB

Download
memory/2444-2-0x0000000000360000-0x00000000003A6000-memory.dmp

Filesize
280KB

Download
memory/2444-1-0x0000000000E70000-0x0000000000ED4000-memory.dmp

Filesize
400KB

Download
memory/2444-9-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-8-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

Filesize
4KB

Download
memory/2444-5-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads