nanocore | c1cc33f19fb3da6f12b1850e32747092446568f4c5c4417ab4f87497f3e71ffc

General

Target

First quater purchase quotation request/FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe
Size

368KB
MD5

09797cdd39ac8e04e9f06ebbea8d6080
SHA1

7aec84b16f1b53b460a20060a2ec56342da78217
SHA256

5ab18122ba5fd805583d4723e2099b87a8999206b79a933a5d071e955e224c5e
SHA512

b89d497b7c72a4888ba5c9b6743c0759a5253c1c764b7441fafa26585cf9e3a0b9ccc22d86b958f50f640ba47194f84d43053bdba49f907c88daac28a9baf70d
SSDEEP

6144:aiC4cGH9KHku2PHGz5j83UgJgGXjQDmjWzb1qY4xJDFssSNGKb1UugFmRj:aiC4V1uMI5jn4g2j1mb1cJ2lNGKb1F

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

officewkgrace.ddns.net:17084

212.7.208.100:17084

Mutex

0037a82e-4499-413e-b334-92da53e56ece

Attributes

activate_away_mode
true
backup_connection_host
212.7.208.100
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-10-14T11:37:36.306932336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
17084
default_group
psm 93
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0037a82e-4499-413e-b334-92da53e56ece
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
officewkgrace.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe

Executes dropped EXE 2 IoCs

Processes:

wordapp.exewordapp.exe

pid process

2328 wordapp.exe
1620 wordapp.exe

pid	process
2328	wordapp.exe
1620	wordapp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wordapp.exewordapp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wordApplication = "C:\\Users\\Admin\\AppData\\Local\\wordapp.exe -boot"	wordapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe"	wordapp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

wordapp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wordapp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wordapp.exe

description pid process target process

PID 2328 set thread context of 1620 2328 wordapp.exe wordapp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wordapp.exe

description	pid	process	target process
PID 2328 set thread context of 1620	2328	wordapp.exe	wordapp.exe

Drops file in Program Files directory 2 IoCs

Processes:

wordapp.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	wordapp.exe
File opened for modification	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	wordapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2392 schtasks.exe
660 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

wordapp.exe

pid process

1620 wordapp.exe
1620 wordapp.exe
1620 wordapp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wordapp.exe

pid process

1620 wordapp.exe

pid	process
2392	schtasks.exe
660	schtasks.exe

pid	process
1620	wordapp.exe
1620	wordapp.exe
1620	wordapp.exe

pid	process
1620	wordapp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exewordapp.exewordapp.exe

description	pid	process
Token: SeDebugPrivilege	2252	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe
Token: SeDebugPrivilege	2328	wordapp.exe
Token: SeDebugPrivilege	1620	wordapp.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.execmd.exewordapp.exewordapp.exe

description	pid	process	target process
PID 2252 wrote to memory of 2620	2252	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2252 wrote to memory of 2620	2252	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2252 wrote to memory of 2620	2252	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2252 wrote to memory of 3152	2252	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2252 wrote to memory of 3152	2252	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 2252 wrote to memory of 3152	2252	FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe	cmd.exe
PID 3152 wrote to memory of 2328	3152	cmd.exe	wordapp.exe
PID 3152 wrote to memory of 2328	3152	cmd.exe	wordapp.exe
PID 3152 wrote to memory of 2328	3152	cmd.exe	wordapp.exe
PID 2328 wrote to memory of 1620	2328	wordapp.exe	wordapp.exe
PID 2328 wrote to memory of 1620	2328	wordapp.exe	wordapp.exe
PID 2328 wrote to memory of 1620	2328	wordapp.exe	wordapp.exe
PID 2328 wrote to memory of 1620	2328	wordapp.exe	wordapp.exe
PID 2328 wrote to memory of 1620	2328	wordapp.exe	wordapp.exe
PID 2328 wrote to memory of 1620	2328	wordapp.exe	wordapp.exe
PID 2328 wrote to memory of 1620	2328	wordapp.exe	wordapp.exe
PID 2328 wrote to memory of 1620	2328	wordapp.exe	wordapp.exe
PID 1620 wrote to memory of 660	1620	wordapp.exe	schtasks.exe
PID 1620 wrote to memory of 660	1620	wordapp.exe	schtasks.exe
PID 1620 wrote to memory of 660	1620	wordapp.exe	schtasks.exe
PID 1620 wrote to memory of 2392	1620	wordapp.exe	schtasks.exe
PID 1620 wrote to memory of 2392	1620	wordapp.exe	schtasks.exe
PID 1620 wrote to memory of 2392	1620	wordapp.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe
"C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe" "C:\Users\Admin\AppData\Local\wordapp.exe"
2⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\wordapp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\wordapp.exe
"C:\Users\Admin\AppData\Local\wordapp.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\wordapp.exe
"C:\Users\Admin\AppData\Local\wordapp.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD45D.tmp"
5⤵
- Creates scheduled task(s)
PID:660

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp"
5⤵
- Creates scheduled task(s)
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2384 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wordapp.exe.log
Filesize
706B

MD5
0110f3d722cddd9753644c78a308ff57

SHA1
c461bb3812ae8a3c77d0ec99850b3a88eda2ccc7

SHA256
03c3a90b4c2615ddd7bc4b663ba3cce4969223c0a21c53624c6f792ffde91de4

SHA512
8a581416a1a9e355e6cda1d4f2a93df807421ec2706c717c5d5d2acd004af2c14ee77d94c48e6643320dd2cd2e1072b9cfd8ecf37c0e8fb38df7d9f0c40cdf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD45D.tmp
Filesize
1KB

MD5
db22af35d8ec778d087a5a134b54dfde

SHA1
cd57666e2ada94016032b967984c4f65beed0dab

SHA256
2530403cf3fcc489695ab50e1871bd71ac477bd11129049c5f8bc36cc0bf20e9

SHA512
6e3153e50fa887959ae5c0b76d0e042da12cd4f94c0f0d334a2c49d2f45bf6ff38364f51c895e2f0f2a4f8287356c4be262bddee3a0c4d276eecd8fe048bc4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp
Filesize
1KB

MD5
0339b45ef206f4becc88be0d65e24b9e

SHA1
6503a1851f4ccd8c80a31f96bd7ae40d962c9fad

SHA256
3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83

SHA512
c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551

Download Submit
C:\Users\Admin\AppData\Local\wordapp.exe
Filesize
368KB

MD5
09797cdd39ac8e04e9f06ebbea8d6080

SHA1
7aec84b16f1b53b460a20060a2ec56342da78217

SHA256
5ab18122ba5fd805583d4723e2099b87a8999206b79a933a5d071e955e224c5e

SHA512
b89d497b7c72a4888ba5c9b6743c0759a5253c1c764b7441fafa26585cf9e3a0b9ccc22d86b958f50f640ba47194f84d43053bdba49f907c88daac28a9baf70d

Download Submit
memory/1620-36-0x00000000060A0000-0x00000000060AA000-memory.dmp

Filesize
40KB

Download
memory/1620-35-0x0000000005080000-0x000000000509E000-memory.dmp

Filesize
120KB

Download
memory/1620-34-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/1620-26-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/1620-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-16-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2252-6-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/2252-1-0x0000000000C60000-0x0000000000CC4000-memory.dmp

Filesize
400KB

Download
memory/2252-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/2252-2-0x0000000005600000-0x0000000005646000-memory.dmp

Filesize
280KB

Download
memory/2252-3-0x00000000057E0000-0x0000000005800000-memory.dmp

Filesize
128KB

Download
memory/2252-4-0x0000000007C70000-0x0000000007D02000-memory.dmp

Filesize
584KB

Download
memory/2252-8-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/2252-7-0x00000000056C0000-0x00000000056CC000-memory.dmp

Filesize
48KB

Download
memory/2252-5-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2252-9-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2328-25-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2328-20-0x0000000008550000-0x00000000085EC000-memory.dmp

Filesize
624KB

Download
memory/2328-19-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2328-18-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2328-17-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads