nanocore | 976eb912c8c957c2bca5f8812568fa1a8d2ab71881af1526c276a52ad0bdf9ea

General

Target

ORDERS.scr
Size

1.1MB
MD5

acebb19a9b0ac74a82d68dd9919752a7
SHA1

2d3d7c32c22329cd8e19eec67fcc8fdcc7c63168
SHA256

52c1daa48f7a7341a1fe5b90241cdbd64b4e2586c0d9f27284449be57247ad76
SHA512

8bf7cdc831262227948b67f33ed7c3c8a7d8f39d511eaf01ef132334a0beb0282f5335a4006062c8912d7df8e5d51bff91c31e9849258a9ac05ce612bb9791ce
SSDEEP

24576:bNA3R5drXadXhgHG+8DJ6Q6qgb/j5fjnQbz8qXAX4FQYcZRSnqJSW:G5CXhI/8DJh6nL5fjnuzHQX465RFJ

Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

tats2lou.ddns.net:19864

xeliteme.us:19864

Mutex

4a26dce4-1082-4ec8-978b-651dfc38d839

Attributes

activate_away_mode
false
backup_connection_host
xeliteme.us
backup_dns_server
buffer_size
65538
build_time
2019-11-15T05:23:16.617165636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
19864
default_group
A1
enable_debug_mode
true
gc_threshold
1.0485772e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.0485772e+07
mutex
4a26dce4-1082-4ec8-978b-651dfc38d839
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
tats2lou.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8009

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 1 IoCs

pid	Process
2572	heldecibuq.exe

Loads dropped DLL 1 IoCs

pid	Process
2584	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\chrome = "c:\\F2818E~1\\HELDEC~1.EXE c:\\F2818E~1\\spnhv.thc"	heldecibuq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 1644	2572	heldecibuq.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SCSI Host\scsihost.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\SCSI Host\scsihost.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heldecibuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
320	schtasks.exe
2764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1644	RegSvcs.exe
1644	RegSvcs.exe
1644	RegSvcs.exe
1644	RegSvcs.exe
1644	RegSvcs.exe
1644	RegSvcs.exe
1644	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1644	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	RegSvcs.exe
Token: SeDebugPrivilege	1644	RegSvcs.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2584	1852	ORDERS.scr	31
PID 1852 wrote to memory of 2584	1852	ORDERS.scr	31
PID 1852 wrote to memory of 2584	1852	ORDERS.scr	31
PID 1852 wrote to memory of 2584	1852	ORDERS.scr	31
PID 2584 wrote to memory of 2572	2584	WScript.exe	32
PID 2584 wrote to memory of 2572	2584	WScript.exe	32
PID 2584 wrote to memory of 2572	2584	WScript.exe	32
PID 2584 wrote to memory of 2572	2584	WScript.exe	32
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 2572 wrote to memory of 1644	2572	heldecibuq.exe	33
PID 1644 wrote to memory of 320	1644	RegSvcs.exe	34
PID 1644 wrote to memory of 320	1644	RegSvcs.exe	34
PID 1644 wrote to memory of 320	1644	RegSvcs.exe	34
PID 1644 wrote to memory of 320	1644	RegSvcs.exe	34
PID 1644 wrote to memory of 2764	1644	RegSvcs.exe	36
PID 1644 wrote to memory of 2764	1644	RegSvcs.exe	36
PID 1644 wrote to memory of 2764	1644	RegSvcs.exe	36
PID 1644 wrote to memory of 2764	1644	RegSvcs.exe	36

C:\Users\Admin\AppData\Local\Temp\ORDERS.scr
"C:\Users\Admin\AppData\Local\Temp\ORDERS.scr" /S
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\f2818e0517\ssoe.vbe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\f2818e0517\heldecibuq.exe
    "C:\f2818e0517\heldecibuq.exe" spnhv.thc
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF6DD.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:320
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "SCSI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF75B.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\F2818E~1\uwuxpfi.mp3

Filesize
471KB

MD5
28c8e86a1628d62557379bb77bc35902

SHA1
bd8a5cdc943412e19ff774ae52b30cb908f5f038

SHA256
679d9420d3fb1f12001f02345521a437654491173acbf60ae302e23f0593b809

SHA512
d3603e1d1d8a0a68f8752f5a05fd8880439066fb8487adb8db6a75225f0531dd3f607b1fffb102f2503a188fb33e038af08bcc523363ead2db34a3fe6e6b63cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6DD.tmp

Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF75B.tmp

Filesize
1KB

MD5
9a559f229be0944bc3dc813cde333f50

SHA1
0e97c97eea032b499ff060e799581e32beeceb09

SHA256
a63d853679aa655cced3b62a10855c56f9efd9b50770738b408d728008f73330

SHA512
4cbb2f77283500e86ecf79fd2cbd31d10c3af2fcf6c9a557ee0b1edead229dc07d63a5030b60df57458d52ef8c2a42ec199d2d4cdca387400d047df25b593c68

Download Submit
C:\f2818e0517\heldecibuq.exe

Filesize
646KB

MD5
a3e8113ff31e86152d4a384dab4ea102

SHA1
28cabe6b57d14f6dd47a880c51bc9726d017989f

SHA256
d06ea150b0a83b9cf2ef63fdafc9e79a23bfa004c9f42d526499329e0ab1c977

SHA512
f34d79e3984e819c2e86e9b75c27985f7f4d8696bd3bf18447b697e127db3f76c707369336925ae941f95053d4e83d1684356d479be2295114d654bb24efb290

Download Submit
C:\f2818e0517\ssoe.vbe

Filesize
40KB

MD5
c20048dad2cd829b63302a2e017fc888

SHA1
94482fed7a6335e23ef26f87b2a94320893c18af

SHA256
7a03af4b8eb03756865b86580b3484c6f0d237a5fc3e842e3106722b480a9aee

SHA512
972d68180c37bed93db90d1fa6b221606548cd39584e90dd4616379eba2cd5edd5e383522b2937a7312821a6f8c23f8ee540d784c08f2840cb99a7e0401c2667

Download Submit
memory/1644-55-0x0000000000C20000-0x0000000001C20000-memory.dmp

Filesize
16.0MB

Download
memory/1644-58-0x0000000000C20000-0x0000000001C20000-memory.dmp

Filesize
16.0MB

Download
memory/1644-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1644-61-0x0000000000C20000-0x0000000000C5A000-memory.dmp

Filesize
232KB

Download
memory/1644-60-0x0000000000C20000-0x0000000001C20000-memory.dmp

Filesize
16.0MB

Download
memory/1644-59-0x0000000000C20000-0x0000000001C20000-memory.dmp

Filesize
16.0MB

Download
memory/1644-69-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/1644-70-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/1644-71-0x0000000000A90000-0x0000000000AAE000-memory.dmp

Filesize
120KB

Download
memory/1644-72-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads