nanocore | 8bdde20f5655fa32fc546f3b4e66b3b2a2872c0e55a73c377245808ffd218829

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Accelya NDC SPRK.scr.exe
Size

1.0MB
MD5

15bd4ca6b9d238c9eca4159e5ac550c7
SHA1

b184f22c346fc02f7eb98d979434cb5ee945cb05
SHA256

8bdde20f5655fa32fc546f3b4e66b3b2a2872c0e55a73c377245808ffd218829
SHA512

e16c4be80024ae7bba60679801d68df24f5ead6167974f93a97db585adb285f23292404b7a93c45711d014e3f925336180d25e3e898d4a9fe6d611c1466a6074
SSDEEP

24576:Mnpn/lsoEJvYWVX7UiLS2z+Q++D00BKidflm3ilPm:MnpnN3oYALU12z+UDjBKQl4v

Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

e-businessloader.mywire.org:5230

127.0.0.1:5230

Mutex

0be0e5d9-4209-4f88-b4fe-27e7b678a0b5

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-03-16T21:32:38.702958636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5230
default_group
e-business
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0be0e5d9-4209-4f88-b4fe-27e7b678a0b5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
e-businessloader.mywire.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1460 created 3484	1460	Accelya NDC SPRK.scr.exe	56

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Amtjh = "C:\\Users\\Admin\\AppData\\Roaming\\Amtjh.exe"	Accelya NDC SPRK.scr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 4532	1460	Accelya NDC SPRK.scr.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accelya NDC SPRK.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1460	Accelya NDC SPRK.scr.exe
4532	InstallUtil.exe
4532	InstallUtil.exe
4532	InstallUtil.exe
4532	InstallUtil.exe
4532	InstallUtil.exe
4532	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4532	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	Accelya NDC SPRK.scr.exe
Token: SeDebugPrivilege	1460	Accelya NDC SPRK.scr.exe
Token: SeDebugPrivilege	4532	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 4532	1460	Accelya NDC SPRK.scr.exe	86
PID 1460 wrote to memory of 4532	1460	Accelya NDC SPRK.scr.exe	86
PID 1460 wrote to memory of 4532	1460	Accelya NDC SPRK.scr.exe	86
PID 1460 wrote to memory of 4532	1460	Accelya NDC SPRK.scr.exe	86
PID 1460 wrote to memory of 4532	1460	Accelya NDC SPRK.scr.exe	86
PID 1460 wrote to memory of 4532	1460	Accelya NDC SPRK.scr.exe	86
PID 1460 wrote to memory of 4532	1460	Accelya NDC SPRK.scr.exe	86
PID 1460 wrote to memory of 4532	1460	Accelya NDC SPRK.scr.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\Accelya NDC SPRK.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\Accelya NDC SPRK.scr.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/1460-1-0x0000000000D50000-0x0000000000E56000-memory.dmp

Filesize
1.0MB

Download
memory/1460-2-0x00000000057C0000-0x00000000058C2000-memory.dmp

Filesize
1.0MB

Download
memory/1460-6-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-10-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-58-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-66-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-64-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-62-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-60-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-56-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-54-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-52-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-48-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-44-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-42-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-38-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-36-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-34-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-32-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-30-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-26-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-25-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-20-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-18-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-16-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-14-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-12-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-8-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-4-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-50-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-46-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-40-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-28-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-22-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-3-0x00000000057C0000-0x00000000058BC000-memory.dmp

Filesize
1008KB

Download
memory/1460-1077-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1460-1078-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1460-1079-0x0000000005990000-0x0000000005A0C000-memory.dmp

Filesize
496KB

Download
memory/1460-1080-0x0000000005920000-0x000000000596C000-memory.dmp

Filesize
304KB

Download
memory/1460-1083-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1460-1085-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1460-1086-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1460-1087-0x0000000006520000-0x0000000006AC4000-memory.dmp

Filesize
5.6MB

Download
memory/1460-1088-0x0000000005C40000-0x0000000005C94000-memory.dmp

Filesize
336KB

Download
memory/1460-1093-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4532-1091-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4532-1092-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4532-1094-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/4532-1095-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

Filesize
624KB

Download
memory/4532-1096-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4532-1097-0x0000000004E00000-0x0000000004E0A000-memory.dmp

Filesize
40KB

Download
memory/4532-1099-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/4532-1100-0x0000000004EB0000-0x0000000004ECE000-memory.dmp

Filesize
120KB

Download
memory/4532-1101-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/4532-1104-0x0000000006390000-0x000000000639C000-memory.dmp

Filesize
48KB

Download
memory/4532-1105-0x00000000063A0000-0x00000000063BA000-memory.dmp

Filesize
104KB

Download
memory/4532-1106-0x00000000063D0000-0x00000000063DE000-memory.dmp

Filesize
56KB

Download
memory/4532-1109-0x0000000006400000-0x000000000640C000-memory.dmp

Filesize
48KB

Download
memory/4532-1107-0x00000000063E0000-0x00000000063F2000-memory.dmp

Filesize
72KB

Download
memory/4532-1111-0x0000000006420000-0x0000000006430000-memory.dmp

Filesize
64KB

Download
memory/4532-1108-0x00000000063F0000-0x00000000063FE000-memory.dmp

Filesize
56KB

Download
memory/4532-1110-0x0000000006410000-0x0000000006424000-memory.dmp

Filesize
80KB

Download
memory/4532-1112-0x0000000006440000-0x0000000006454000-memory.dmp

Filesize
80KB

Download
memory/4532-1115-0x00000000064A0000-0x00000000064B4000-memory.dmp

Filesize
80KB

Download
memory/4532-1114-0x0000000006470000-0x000000000649E000-memory.dmp

Filesize
184KB

Download
memory/4532-1113-0x0000000006460000-0x000000000646E000-memory.dmp

Filesize
56KB

Download
memory/4532-1116-0x00000000067B0000-0x0000000006816000-memory.dmp

Filesize
408KB

Download
memory/4532-1118-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4532-1119-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download