nanocore | f65d1cded5374ab70cfb0f316f045bc01a0f7dba4cb1cb1edf19a923282b525d

General

Target

350d5e7320be3cf579bf1afacdbb46c0N.exe
Size

506KB
MD5

350d5e7320be3cf579bf1afacdbb46c0
SHA1

f7220fb639e1c780f6ea23b1d657964f22bcf49a
SHA256

f65d1cded5374ab70cfb0f316f045bc01a0f7dba4cb1cb1edf19a923282b525d
SHA512

82d08ec44f4d8153ccdd42996604cf2ceab26c853d1a0b1a87257710b6ce115f9bde9dbd3ad93e54bed2f6337872fd877db994050926b0ff315f2bb7fa9ffdde
SSDEEP

12288:0zQFwN0QMq3ZyMliWHt3hewrmrvTKdnMgmuCy:+QFmN3ZhlPt3hewyTK

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

savagesquad.ooguy.com:5314

Mutex

ffbf0a1f-4996-4697-ad52-3b9f73eda21c

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2019-07-07T02:55:03.718306736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
5314
default_group
FUD
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ffbf0a1f-4996-4697-ad52-3b9f73eda21c
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
savagesquad.ooguy.com
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

350d5e7320be3cf579bf1afacdbb46c0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	350d5e7320be3cf579bf1afacdbb46c0N.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

350d5e7320be3cf579bf1afacdbb46c0N.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	350d5e7320be3cf579bf1afacdbb46c0N.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

350d5e7320be3cf579bf1afacdbb46c0N.exe

description pid process target process

PID 4992 set thread context of 3060 4992 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4992 set thread context of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

350d5e7320be3cf579bf1afacdbb46c0N.exe350d5e7320be3cf579bf1afacdbb46c0N.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	350d5e7320be3cf579bf1afacdbb46c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	350d5e7320be3cf579bf1afacdbb46c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1324 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

350d5e7320be3cf579bf1afacdbb46c0N.exe

pid process

3060 350d5e7320be3cf579bf1afacdbb46c0N.exe
3060 350d5e7320be3cf579bf1afacdbb46c0N.exe
3060 350d5e7320be3cf579bf1afacdbb46c0N.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

350d5e7320be3cf579bf1afacdbb46c0N.exe

pid process

3060 350d5e7320be3cf579bf1afacdbb46c0N.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

350d5e7320be3cf579bf1afacdbb46c0N.exe

description pid process

Token: SeDebugPrivilege 3060 350d5e7320be3cf579bf1afacdbb46c0N.exe

pid	process
1324	schtasks.exe

pid	process
3060	350d5e7320be3cf579bf1afacdbb46c0N.exe
3060	350d5e7320be3cf579bf1afacdbb46c0N.exe
3060	350d5e7320be3cf579bf1afacdbb46c0N.exe

pid	process
3060	350d5e7320be3cf579bf1afacdbb46c0N.exe

description	pid	process
Token: SeDebugPrivilege	3060	350d5e7320be3cf579bf1afacdbb46c0N.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

350d5e7320be3cf579bf1afacdbb46c0N.exe

description	pid	process	target process
PID 4992 wrote to memory of 1324	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	schtasks.exe
PID 4992 wrote to memory of 1324	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	schtasks.exe
PID 4992 wrote to memory of 1324	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	schtasks.exe
PID 4992 wrote to memory of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060	4992	350d5e7320be3cf579bf1afacdbb46c0N.exe	350d5e7320be3cf579bf1afacdbb46c0N.exe

C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VsRwbjnFmPB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E43.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"
2⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\350d5e7320be3cf579bf1afacdbb46c0N.exe.log

Filesize
588B

MD5
49461f799113a05a28d6b992090c22ce

SHA1
4049a26ca32ff9ed84fd748b75b36b73e17510ce

SHA256
efa0ab0bd196baf69522d0e11a8bb384a1f0e1806590db7b6ed34abcf6faf5c3

SHA512
dffd0fc9f13c5821f9a55bbfb0e1cb980b29903228805fda0331de68ef1ecfa7e716ebcb50c1a2429e5373f6c9e31977472e04769adf9feac8c7fe10f1814bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E43.tmp

Filesize
1KB

MD5
6fdc6da05762a26f3ef1cd3283b47a72

SHA1
68e2780e8dfcf37796d7ef1287fd2559b3a50d8c

SHA256
99bdefc451c9ffad51d709944906ccc7c651c1e44e908bc40bc5f581651defbf

SHA512
3e07e3d22296c4ea70aced2793f036f1df8bdb4bdbb675551a15d213bd252175052c774777fab4f14d9f2598fb59e406a8bd09968d536e2ef6f8827b390f58bd

Download Submit
memory/3060-14-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/3060-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-15-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/3060-17-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/3060-18-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/3060-19-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4992-3-0x0000000074D62000-0x0000000074D63000-memory.dmp

Filesize
4KB

Download
memory/4992-4-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4992-2-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4992-1-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4992-13-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4992-0-0x0000000074D62000-0x0000000074D63000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads