nanocore | b6b18cdd0c3bc6c1a7501b5b46dd3332aab1e104d0ecef45b8d0f81f246c1db5

General

Target

38f9027db5db0e80bf54fd0b58834c4e41832fcb5823de688e73b8729c320252.exe
Size

463KB
MD5

d440a009fdf2f597cc37dd26baa95305
SHA1

6e7f39197bbb705715b435fdb988bf0996384736
SHA256

38f9027db5db0e80bf54fd0b58834c4e41832fcb5823de688e73b8729c320252
SHA512

2c574ef847febb7c5dc6f29af9ade92cf70ac615faa670828ebdecf46e7e3f4d181ced426201c1a05eafa747f9bd01dad490284cbfc8b45b75eb898d266ffd42
SSDEEP

6144:ZhjmMV+zyoFd/Lt00Gf5PW9kifgJaS+Xkk0G0njdQl1PQpZisyt9a0:pAzFd/Ltof5BtaS+XkXGeQl1EZfA

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

multipleentry90dayscontroller.homingbeacon.net:54980

Mutex

6df769ca-fa90-4d27-be6c-663c699e6628

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-07-28T11:56:28.201018636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
54980
default_group
K59
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6df769ca-fa90-4d27-be6c-663c699e6628
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
multipleentry90dayscontroller.homingbeacon.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 3 IoCs

pid	Process
2948	lbkefhzm.exe
1020	lbkefhzm.exe
1544	lbkefhzm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwsscwwgp = "C:\\Users\\Admin\\AppData\\Roaming\\lhhqavvfo\\okttpyiien.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lbkefhzm.exe\" "	lbkefhzm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Manager = "C:\\Program Files (x86)\\WPA Manager\\wpamgr.exe"	lbkefhzm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lbkefhzm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2948 set thread context of 1544	2948	lbkefhzm.exe	90

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WPA Manager\wpamgr.exe	lbkefhzm.exe
File opened for modification	C:\Program Files (x86)\WPA Manager\wpamgr.exe	lbkefhzm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38f9027db5db0e80bf54fd0b58834c4e41832fcb5823de688e73b8729c320252.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbkefhzm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbkefhzm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1544	lbkefhzm.exe
1544	lbkefhzm.exe
1544	lbkefhzm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1544	lbkefhzm.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2948	lbkefhzm.exe
2948	lbkefhzm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	lbkefhzm.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2948	2580	38f9027db5db0e80bf54fd0b58834c4e41832fcb5823de688e73b8729c320252.exe	85
PID 2580 wrote to memory of 2948	2580	38f9027db5db0e80bf54fd0b58834c4e41832fcb5823de688e73b8729c320252.exe	85
PID 2580 wrote to memory of 2948	2580	38f9027db5db0e80bf54fd0b58834c4e41832fcb5823de688e73b8729c320252.exe	85
PID 2948 wrote to memory of 1020	2948	lbkefhzm.exe	89
PID 2948 wrote to memory of 1020	2948	lbkefhzm.exe	89
PID 2948 wrote to memory of 1020	2948	lbkefhzm.exe	89
PID 2948 wrote to memory of 1544	2948	lbkefhzm.exe	90
PID 2948 wrote to memory of 1544	2948	lbkefhzm.exe	90
PID 2948 wrote to memory of 1544	2948	lbkefhzm.exe	90
PID 2948 wrote to memory of 1544	2948	lbkefhzm.exe	90

C:\Users\Admin\AppData\Local\Temp\38f9027db5db0e80bf54fd0b58834c4e41832fcb5823de688e73b8729c320252.exe
"C:\Users\Admin\AppData\Local\Temp\38f9027db5db0e80bf54fd0b58834c4e41832fcb5823de688e73b8729c320252.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe
  "C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe
    "C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe"
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe
    "C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe

Filesize
194KB

MD5
df94c0e13e9170afcde2c5fed16a3600

SHA1
1190674c6027614ba60ae23d44f469707ec500fc

SHA256
2610d8a1362ee28e59bc811d63e8d5c63e6021f94635be9a6c0921c6e62c98b2

SHA512
85a0ff0bf2824ac55430dddf967a02ebfc9145159255b148cced9aafc277b66dbc02fad97270fcb7b96a81b378a14ebd10d642884f05347b6278a5f6025a98f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\srdwfhwin.xu

Filesize
300KB

MD5
3697bdd68d183c608df0e176d7b744f7

SHA1
c849862c9c13eac7675be5756d53381cac7fbb38

SHA256
1c628e307e8eaca7458be3b18fe066eb33990e806b2e1add6a42e976656264f3

SHA512
4c63f1274dc3dc44be0c9b1688a43d6b91d38168069af7847d41bf4ca256a24b739f2ce6ff9321c13a45b614883a9790ab2fe834a8a66e5b509c871b0679d88b

Download Submit
memory/1544-16-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-18-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-11-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1544-12-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1544-14-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1544-15-0x00000000747E2000-0x00000000747E3000-memory.dmp

Filesize
4KB

Download
memory/1544-28-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-17-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-19-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-9-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1544-20-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-21-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-24-0x00000000747E2000-0x00000000747E3000-memory.dmp

Filesize
4KB

Download
memory/1544-25-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-26-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1544-27-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/2948-5-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads