nanocore | 0c493a39761851a26d351a3258692fe144cf756097a4bd923a959e8795ad6c6c

General

Target

Quotation_Request_Sheet_0089600090944833933.exe
Size

437KB
MD5

700cedae278fb3092153285d13bafbfe
SHA1

8e291c02383b22a4baa40fe09fa9bccc8a21b689
SHA256

8397aac7952f0432c2aff655eb67d09f849e41389f00a663d6e8cb681f21c2dd
SHA512

99671a59e3a45b81a0ee557adb97360e02f51eb1c8d9830e4e16fe7a0c7cd171249d21c87777e215a5cdd6f4b3a8f3c1f864cbb1a209c55068774206b1604de3
SSDEEP

6144:n1UuE2wWm+f6hmQPUDQcFBZUKi1+OO7x3t0omda:4o1QmUB10x3ON

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.125.205.71:6789

omada1.ddns.net:6789

Mutex

1e6a039e-ec2c-48e8-b50f-442df5e4a007

Attributes

activate_away_mode
true
backup_connection_host
omada1.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-04-28T10:38:03.742178936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
6789
default_group
15 star
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1e6a039e-ec2c-48e8-b50f-442df5e4a007
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
185.125.205.71
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

Quotation_Request_Sheet_0089600090944833933.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HcLRYd.url	Quotation_Request_Sheet_0089600090944833933.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation_Request_Sheet_0089600090944833933.exe

description pid process target process

PID 3024 set thread context of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Quotation_Request_Sheet_0089600090944833933.exeRegAsm.exe

pid process

3024 Quotation_Request_Sheet_0089600090944833933.exe
3024 Quotation_Request_Sheet_0089600090944833933.exe
2640 RegAsm.exe
2640 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2640 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Quotation_Request_Sheet_0089600090944833933.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3024 Quotation_Request_Sheet_0089600090944833933.exe
Token: SeDebugPrivilege 2640 RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

description	pid	process	target process
PID 3024 set thread context of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe

pid	process
3024	Quotation_Request_Sheet_0089600090944833933.exe
3024	Quotation_Request_Sheet_0089600090944833933.exe
2640	RegAsm.exe
2640	RegAsm.exe

pid	process
2640	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3024	Quotation_Request_Sheet_0089600090944833933.exe
Token: SeDebugPrivilege	2640	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Quotation_Request_Sheet_0089600090944833933.execsc.exe

description	pid	process	target process
PID 3024 wrote to memory of 1448	3024	Quotation_Request_Sheet_0089600090944833933.exe	csc.exe
PID 3024 wrote to memory of 1448	3024	Quotation_Request_Sheet_0089600090944833933.exe	csc.exe
PID 3024 wrote to memory of 1448	3024	Quotation_Request_Sheet_0089600090944833933.exe	csc.exe
PID 3024 wrote to memory of 1448	3024	Quotation_Request_Sheet_0089600090944833933.exe	csc.exe
PID 1448 wrote to memory of 2764	1448	csc.exe	cvtres.exe
PID 1448 wrote to memory of 2764	1448	csc.exe	cvtres.exe
PID 1448 wrote to memory of 2764	1448	csc.exe	cvtres.exe
PID 1448 wrote to memory of 2764	1448	csc.exe	cvtres.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe
PID 3024 wrote to memory of 2640	3024	Quotation_Request_Sheet_0089600090944833933.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C76.tmp" "c:\Users\Admin\AppData\Local\Temp\nue5xcyv\CSC67A023D2C1044EE8B4785184C4F5CC5.TMP"
3⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1C76.tmp
Filesize
1KB

MD5
b9b6b2ed0c87b30c0e8e28f115647257

SHA1
775774c51fbbba4e5610549e34288d0514f7bd66

SHA256
85a5cd1c35433834a9a19dc92d5fb0e9f11f6c37d36987b919f389613d059072

SHA512
c673e6052432abb59ae1c517d6886b53fd7c41a2f2ce5423b84286816b083f8c04eeab93d02feb2035bc0c90b8a7d2f1f98ebff3660565af362bfd4862a0a42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.dll
Filesize
9KB

MD5
2cc70c8b7627676d3f280c51f953593f

SHA1
a2c8a193a720790b1688380a06d816fd12378882

SHA256
73d31773b199af66c4fcefbe9031a78c3447f9a2558852c4b0b85e53115aa041

SHA512
35a1c367804f0edf6be2d05b831491bfd394ae03c3dccadbd81d995db96447f031cac77de66d02a847a856da8c4cce88d27bfa88f251db3fd16022a69410999a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.pdb
Filesize
29KB

MD5
f40c18a3557ac7fb58cbb2e78aa81b3f

SHA1
707b2bb71ddc96ddfdddcc671a58db11ee12fa93

SHA256
b18974171243e3677bedd26e5fcfd9ce9320a34fd134ce30d87884a1e984aca4

SHA512
d0069139feffad55d195fe2fa4b050dff201efb1887806a65271329616668c77113493d4205341a9960cac8e31dcdaf52a62eb7fd5dce24b83cee5c94f839273

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\CSC67A023D2C1044EE8B4785184C4F5CC5.TMP
Filesize
1KB

MD5
40a60c9ef7ab7332bfaf6230c84e8b40

SHA1
2221f2abb192c85f2ef5e82188c8b2914f4a593d

SHA256
f9bde7623139d1dc698ee475dcfcfed5d3b7646d9defc06fc70ff170c8ac7689

SHA512
841d0f15c2b8cf63a16786b4babdb15376413ecd71b5aa489c07dc294a390998f1b368af3e5fb058ce733a494383c78d2c4b083c1aed8fa88c433f9debeeee88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.0.cs
Filesize
10KB

MD5
4801a7d3498045d0e79c845b4750557d

SHA1
479bae8d7b735b8d24225d173bdbf47b940e4da0

SHA256
e724633ba5babd87fd8d3a24cca85f213e0c8827ddc44aba0e470d42ae3f5e31

SHA512
4f0aa3c16cf13ab8c071dd5bc2176861216ba51cebe9bf6f4bd94ca23af7c1e629238afc829cecd493ae02a06b3e1213edefc78c42a4941be9958feb10db7e36

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.cmdline
Filesize
312B

MD5
3131deac5c2136e027dfea093fbf238f

SHA1
a2ee1fd66c527c9609485bd37eaea25f35017cf4

SHA256
2ff9d7ee1f81e4e0a1a681c7767d18d461f66f5b24165d928007a33a1f6b6baf

SHA512
b61bbf22a63632ee72746882c5f1eafef37d905ec7515e26ab07da9cbbe6a622b051ba6daca6ed48b024000cf1613433194f6a8d260c837af0453fd3724ad4fd

Download Submit
memory/2640-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2640-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2640-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2640-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2640-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2640-30-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2640-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3024-23-0x0000000000870000-0x00000000008A8000-memory.dmp

Filesize
224KB

Download
memory/3024-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/3024-5-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-20-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/3024-19-0x0000000000760000-0x00000000007A2000-memory.dmp

Filesize
264KB

Download
memory/3024-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/3024-1-0x0000000000230000-0x00000000002A4000-memory.dmp

Filesize
464KB

Download
memory/3024-35-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing