nanocore | 152831911e38d9e20c6c82b22cd65258fab41c3c1017d2127854b91c8331a685

General

Target

Bank Details.exe
Size

3.5MB
MD5

72541dff5041b2d243e0502ecb452ef1
SHA1

8afb4d29dee980bedefb058453ed11e1c151f938
SHA256

152831911e38d9e20c6c82b22cd65258fab41c3c1017d2127854b91c8331a685
SHA512

f4877723eb06c98b0ede4868331cc0a64a09e7c02cebad044f3b6e5d1e741d45393ee7d1937fa031e26c463dc1370037ecb0bbe3eb42fd7dda8868c844bfd7d0
SSDEEP

49152:KOb699GhOeeYrHhxNg0Dobuh9CYW/jgFdfUH8SIP1wJ5+BPtk6S:q9vYrdnw8SIKJYBP

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

arkseven7002.ddns.net:7727

Mutex

10a66da6-234d-4e15-acda-574830a08fca

Attributes

activate_away_mode
true
backup_connection_host
arkseven7002.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-04-18T01:03:25.467183836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
true
connect_delay
4000
connection_port
7727
default_group
BLESSED BOTS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
10a66da6-234d-4e15-acda-574830a08fca
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
arkseven7002.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CasPol.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe"	CasPol.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Bank Details.exe

description pid process target process

PID 2368 set thread context of 1952 2368 Bank Details.exe CasPol.exe

description	pid	process	target process
PID 2368 set thread context of 1952	2368	Bank Details.exe	CasPol.exe

Drops file in Program Files directory 2 IoCs

Processes:

CasPol.exe

description	ioc	process
File created	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	CasPol.exe
File opened for modification	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	CasPol.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

CasPol.exe

pid process

1952 CasPol.exe
1952 CasPol.exe
1952 CasPol.exe
1952 CasPol.exe
1952 CasPol.exe
1952 CasPol.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CasPol.exe

pid process

1952 CasPol.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CasPol.exe

description pid process

Token: SeDebugPrivilege 1952 CasPol.exe

pid	process
1952	CasPol.exe
1952	CasPol.exe
1952	CasPol.exe
1952	CasPol.exe
1952	CasPol.exe
1952	CasPol.exe

pid	process
1952	CasPol.exe

description	pid	process
Token: SeDebugPrivilege	1952	CasPol.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Bank Details.exe

description	pid	process	target process
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe
PID 2368 wrote to memory of 1952	2368	Bank Details.exe	CasPol.exe

C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-10-0x00000000004F0000-0x000000000050E000-memory.dmp

Filesize
120KB

Download
memory/1952-9-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1952-6-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/1952-5-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/1952-4-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1952-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1952-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1952-11-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/1952-15-0x0000000000840000-0x000000000085A000-memory.dmp

Filesize
104KB

Download
memory/1952-14-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/1952-17-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/1952-19-0x00000000020E0000-0x00000000020EC000-memory.dmp

Filesize
48KB

Download
memory/1952-20-0x00000000020F0000-0x0000000002104000-memory.dmp

Filesize
80KB

Download
memory/1952-16-0x0000000000A20000-0x0000000000A2E000-memory.dmp

Filesize
56KB

Download
memory/1952-18-0x00000000020D0000-0x00000000020DE000-memory.dmp

Filesize
56KB

Download
memory/1952-21-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/1952-22-0x0000000002250000-0x0000000002264000-memory.dmp

Filesize
80KB

Download
memory/1952-23-0x0000000002260000-0x000000000226E000-memory.dmp

Filesize
56KB

Download
memory/1952-24-0x00000000022D0000-0x00000000022FE000-memory.dmp

Filesize
184KB

Download
memory/1952-25-0x0000000002280000-0x0000000002294000-memory.dmp

Filesize
80KB

Download
memory/1952-27-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/1952-28-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads