nanocore | b6b18cdd0c3bc6c1a7501b5b46dd3332aab1e104d0ecef45b8d0f81f246c1db5

General

Target

lbkefhzm.exe
Size

194KB
MD5

df94c0e13e9170afcde2c5fed16a3600
SHA1

1190674c6027614ba60ae23d44f469707ec500fc
SHA256

2610d8a1362ee28e59bc811d63e8d5c63e6021f94635be9a6c0921c6e62c98b2
SHA512

85a0ff0bf2824ac55430dddf967a02ebfc9145159255b148cced9aafc277b66dbc02fad97270fcb7b96a81b378a14ebd10d642884f05347b6278a5f6025a98f0
SSDEEP

3072:yDM3BbjHUffrVYDdJuNFS+gwRiz+iGxKmlGsEgSYRIuAg0FujwZ3UMk53:yDIKr0Pu7SPy4+i3MAOGI3

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

multipleentry90dayscontroller.homingbeacon.net:54980

Mutex

6df769ca-fa90-4d27-be6c-663c699e6628

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-07-28T11:56:28.201018636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
54980
default_group
K59
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6df769ca-fa90-4d27-be6c-663c699e6628
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
multipleentry90dayscontroller.homingbeacon.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwsscwwgp = "C:\\Users\\Admin\\AppData\\Roaming\\lhhqavvfo\\okttpyiien.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lbkefhzm.exe\""	lbkefhzm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe"	lbkefhzm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lbkefhzm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3524 set thread context of 2612	3524	lbkefhzm.exe	87

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WAN Subsystem\wanss.exe	lbkefhzm.exe
File opened for modification	C:\Program Files (x86)\WAN Subsystem\wanss.exe	lbkefhzm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbkefhzm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbkefhzm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2612	lbkefhzm.exe
2612	lbkefhzm.exe
2612	lbkefhzm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2612	lbkefhzm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3524	lbkefhzm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	lbkefhzm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 2612	3524	lbkefhzm.exe	87
PID 3524 wrote to memory of 2612	3524	lbkefhzm.exe	87
PID 3524 wrote to memory of 2612	3524	lbkefhzm.exe	87
PID 3524 wrote to memory of 2612	3524	lbkefhzm.exe	87

C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe
"C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe
  "C:\Users\Admin\AppData\Local\Temp\lbkefhzm.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2612-9-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-11-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2612-4-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2612-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2612-6-0x0000000073DF2000-0x0000000073DF3000-memory.dmp

Filesize
4KB

Download
memory/2612-7-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-8-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-2-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2612-20-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-10-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-12-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-15-0x0000000073DF2000-0x0000000073DF3000-memory.dmp

Filesize
4KB

Download
memory/2612-16-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-17-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-18-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-19-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download
memory/3524-0-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads