nanocore | 98b7b74d2f1f83614f54d7eb5c9fa320a86fba7a43a77712b2289d1a439d8fa6

General

Target

POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Size

720KB
MD5

afcc0c7f6fadf41949e66c9325b9f843
SHA1

c1562634e7d393b54606731becad8d4d11fcba39
SHA256

7dc65cb43a6491e7da09935a8e8d20c33873fc75e370b9a701aea0a660e85b80
SHA512

e80cb56e77d3a9532a6174a11adc476cfee7246d86aa47a9bf7a86ddfb23c8dcfe8c5cd580e998aea4f1e8b324b55a9205091fee89b1efccc37dd8e1829e22aa
SSDEEP

12288:2X9kXkXenHgjxJNmtOjaMohwWGVYMdyE2oApCJWX0HSx59B:CzfvaMomDVYMduXp8WX0yxV

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

shahzad73.casacam.net:9036

shahzad73.ddns.net:9036

Mutex

c4cca249-81f6-4232-9f14-01569e09f5f0

Attributes

activate_away_mode
true
backup_connection_host
shahzad73.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-06T13:23:03.514637236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9036
default_group
JANUARY
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c4cca249-81f6-4232-9f14-01569e09f5f0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
shahzad73.casacam.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Token: SeDebugPrivilege	2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2692	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	29
PID 2300 wrote to memory of 2692	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	29
PID 2300 wrote to memory of 2692	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	29
PID 2300 wrote to memory of 2692	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	29
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2300 wrote to memory of 2716	2300	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	31
PID 2716 wrote to memory of 2728	2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	32
PID 2716 wrote to memory of 2728	2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	32
PID 2716 wrote to memory of 2728	2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	32
PID 2716 wrote to memory of 2728	2716	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	32

C:\Users\Admin\AppData\Local\Temp\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gVFZdFg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A06.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
  "{path}"
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B9C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A06.tmp

Filesize
1KB

MD5
8ad8033c769453f8e6732634c58b86c6

SHA1
6f05f147a23f312067b13bae671da5fbba35192d

SHA256
bc0316e9b18a0c5c5916377c40fe35e586ff53ee53a1121bcea9080da29f958a

SHA512
07968cb42e2a709675e91b43bba73355b098760d62c0c90306966cef59165e9c05ec1324b54d86ebc085de18ef9bb1c53cab43c6685af8d3f899a1f41c60cf16

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B9C.tmp

Filesize
1KB

MD5
59a252ec8013af9be928607b0b70e624

SHA1
94a043bf2290a9cea7395a1e589669cb734c7d82

SHA256
5758b98d1ca1d1c4321eb896e533890ccb2d4d8ced1504971d437bb6b69417a3

SHA512
7f04f381d477dded46e49e3f98af3eea324babd42cc98de7b7a2c7c408c02f29d63bb0c7fcbc8f913e032cf9845e9474a77c2ec754ea8ae7a87ee9af79da1aaa

Download Submit
memory/2300-0-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/2300-1-0x0000000000F60000-0x000000000101A000-memory.dmp

Filesize
744KB

Download
memory/2300-2-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-3-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2300-4-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/2300-5-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-6-0x0000000000F00000-0x0000000000F5E000-memory.dmp

Filesize
376KB

Download
memory/2300-26-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-25-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-28-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-32-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/2716-33-0x0000000000460000-0x000000000047E000-memory.dmp

Filesize
120KB

Download
memory/2716-34-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/2716-35-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-36-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads