nanocore | 492b7e53b0b9832ad3c811c6a5f38711346b2eb79c033cdaecc186e67ab45f6e

General

Target

POEA MEMORANDUM N0 056.exe
Size

680KB
MD5

f456b551503ad95921e9cc9a3fb117be
SHA1

03fdfe9e9d663f5c3d013b8ee9e9dab46bdda990
SHA256

ea37dd28632e9d1cbba36da7d3daea76d4071af9f75d9afb29265edf1660aba1
SHA512

2070fef9bb60225d53a483ddb4cda75823c8f45f8abfd25a036301564dd23ebf3f04aee9bc7e707f0802c83e025ef672c488367da4b6770f93c4318f10f2491a
SSDEEP

12288:JcDUU1s3qeEP9VtBDMR7NuXXTT7jIm+HbAnQ97dtabaiFW8E6XorKbi8P5aUL5mf:JM1sav9v078TTHZ+7G47zzig2ou

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

shahzad73.casacam.net:9036

shahzad73.ddns.net:9036

Mutex

c4cca249-81f6-4232-9f14-01569e09f5f0

Attributes

activate_away_mode
true
backup_connection_host
shahzad73.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-06T13:23:03.514637236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9036
default_group
JANUARY
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c4cca249-81f6-4232-9f14-01569e09f5f0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
shahzad73.casacam.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

POEA MEMORANDUM N0 056.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	POEA MEMORANDUM N0 056.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

POEA MEMORANDUM N0 056.exe

description pid process target process

PID 1716 set thread context of 2616 1716 POEA MEMORANDUM N0 056.exe POEA MEMORANDUM N0 056.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2580 schtasks.exe
3024 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

POEA MEMORANDUM N0 056.exePOEA MEMORANDUM N0 056.exe

pid process

1716 POEA MEMORANDUM N0 056.exe
2616 POEA MEMORANDUM N0 056.exe
2616 POEA MEMORANDUM N0 056.exe
2616 POEA MEMORANDUM N0 056.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

POEA MEMORANDUM N0 056.exe

pid process

2616 POEA MEMORANDUM N0 056.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

POEA MEMORANDUM N0 056.exePOEA MEMORANDUM N0 056.exe

description pid process

Token: SeDebugPrivilege 1716 POEA MEMORANDUM N0 056.exe
Token: SeDebugPrivilege 2616 POEA MEMORANDUM N0 056.exe

description	pid	process	target process
PID 1716 set thread context of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe

pid	process
2580	schtasks.exe
3024	schtasks.exe

pid	process
1716	POEA MEMORANDUM N0 056.exe
2616	POEA MEMORANDUM N0 056.exe
2616	POEA MEMORANDUM N0 056.exe
2616	POEA MEMORANDUM N0 056.exe

pid	process
2616	POEA MEMORANDUM N0 056.exe

description	pid	process
Token: SeDebugPrivilege	1716	POEA MEMORANDUM N0 056.exe
Token: SeDebugPrivilege	2616	POEA MEMORANDUM N0 056.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

POEA MEMORANDUM N0 056.exePOEA MEMORANDUM N0 056.exe

description	pid	process	target process
PID 1716 wrote to memory of 2580	1716	POEA MEMORANDUM N0 056.exe	schtasks.exe
PID 1716 wrote to memory of 2580	1716	POEA MEMORANDUM N0 056.exe	schtasks.exe
PID 1716 wrote to memory of 2580	1716	POEA MEMORANDUM N0 056.exe	schtasks.exe
PID 1716 wrote to memory of 2580	1716	POEA MEMORANDUM N0 056.exe	schtasks.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 1716 wrote to memory of 2616	1716	POEA MEMORANDUM N0 056.exe	POEA MEMORANDUM N0 056.exe
PID 2616 wrote to memory of 3024	2616	POEA MEMORANDUM N0 056.exe	schtasks.exe
PID 2616 wrote to memory of 3024	2616	POEA MEMORANDUM N0 056.exe	schtasks.exe
PID 2616 wrote to memory of 3024	2616	POEA MEMORANDUM N0 056.exe	schtasks.exe
PID 2616 wrote to memory of 3024	2616	POEA MEMORANDUM N0 056.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM N0 056.exe
"C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM N0 056.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jqKaAumEoCrxw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD33.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM N0 056.exe
"{path}"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFF17.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFD33.tmp
Filesize
1KB

MD5
ea0efb6a8ca087e4b26f45590afaa3ae

SHA1
801b6e943481029828b432817b476bbfa836d72b

SHA256
fb19a221c952d84afb707a6a2c78a9ba05d2d05044ad6c6f561e04c8d8cc0899

SHA512
3f38bf0fdfe5ffc96decc743da8a3fa3a4db9f7e21b129941906bbfc9a98857bb249f08969a57e0f1921b5754c1f8a1510821baa48d996ba857ab6938d397dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF17.tmp
Filesize
1KB

MD5
a0d3f038d2edfb329b06bdf9124625f4

SHA1
65ded73c490282c57cf84e21cb316c78105412e2

SHA256
f5d2338f5e6526200d60a203691f654e023ee3802a0117488166d0d2d77fd233

SHA512
31a817631e2d14236d704d26eb88822b337ab55d03b69ec473ddaef59847e16533edd28187ac7846926f1c9d90ab46919f758f474fdfeab8dfb8f54a373396ff

Download Submit
memory/1716-0-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/1716-1-0x0000000000EE0000-0x0000000000F90000-memory.dmp

Filesize
704KB

Download
memory/1716-2-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-3-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1716-4-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/1716-5-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-6-0x0000000004DD0000-0x0000000004E5C000-memory.dmp

Filesize
560KB

Download
memory/1716-28-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-26-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-30-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-33-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/2616-34-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download
memory/2616-35-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2616-36-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-37-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads