nanocore | 50d9e490042d226bfaeef0b39c7903d4e166803fd743f6e6a7a6c2aaadfd933c

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rekt/Rekt/UpdaterBypass.exe
Size

272KB
MD5

466b0d1009bfef71e27740092bc4c286
SHA1

66754e3aaf8128a790f9ddebf9f6830fc0db24cd
SHA256

0af94596f1f3bfb0b3b1d61bf7bedf28347254e5e5e1e8a07110f26e07f8b3cc
SHA512

86ec2fe6ac85a83572753ddb0ed93bdfe1e81b3c955476b3e9a54345b1cc3ab1c3f86f18a61cc7e6ecb8774e07b69f7dcf754afb5e8e23ad17409cde529258d2
SSDEEP

6144:iMhANGQqRGT1HPRPAeZID3ziZSzlGYnC939:hhANyg1HdAeZIviZSzlG6

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

XeKush32.chickenkiller.com:63072

127.0.0.1:63072

Mutex

9a386a9b-a46f-49c4-91d6-d82c1b252ecb

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2015-04-05T08:02:20.893902836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
63072
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9a386a9b-a46f-49c4-91d6-d82c1b252ecb
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
XeKush32.chickenkiller.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UpdaterBypass.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 2736	2412	UpdaterBypass.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdaterBypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdaterBypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1948	cmd.exe
1296	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1296	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2736	UpdaterBypass.exe
2736	UpdaterBypass.exe
2736	UpdaterBypass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	UpdaterBypass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	UpdaterBypass.exe
Token: SeDebugPrivilege	2736	UpdaterBypass.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1948	2412	UpdaterBypass.exe	29
PID 2412 wrote to memory of 1948	2412	UpdaterBypass.exe	29
PID 2412 wrote to memory of 1948	2412	UpdaterBypass.exe	29
PID 2412 wrote to memory of 1948	2412	UpdaterBypass.exe	29
PID 2412 wrote to memory of 1948	2412	UpdaterBypass.exe	29
PID 2412 wrote to memory of 1948	2412	UpdaterBypass.exe	29
PID 2412 wrote to memory of 1948	2412	UpdaterBypass.exe	29
PID 1948 wrote to memory of 1296	1948	cmd.exe	31
PID 1948 wrote to memory of 1296	1948	cmd.exe	31
PID 1948 wrote to memory of 1296	1948	cmd.exe	31
PID 1948 wrote to memory of 1296	1948	cmd.exe	31
PID 1948 wrote to memory of 1296	1948	cmd.exe	31
PID 1948 wrote to memory of 1296	1948	cmd.exe	31
PID 1948 wrote to memory of 1296	1948	cmd.exe	31
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 2736	2412	UpdaterBypass.exe	32
PID 2412 wrote to memory of 3000	2412	UpdaterBypass.exe	33
PID 2412 wrote to memory of 3000	2412	UpdaterBypass.exe	33
PID 2412 wrote to memory of 3000	2412	UpdaterBypass.exe	33
PID 2412 wrote to memory of 3000	2412	UpdaterBypass.exe	33
PID 2412 wrote to memory of 3000	2412	UpdaterBypass.exe	33
PID 2412 wrote to memory of 3000	2412	UpdaterBypass.exe	33
PID 2412 wrote to memory of 3000	2412	UpdaterBypass.exe	33
PID 2412 wrote to memory of 2888	2412	UpdaterBypass.exe	35
PID 2412 wrote to memory of 2888	2412	UpdaterBypass.exe	35
PID 2412 wrote to memory of 2888	2412	UpdaterBypass.exe	35
PID 2412 wrote to memory of 2888	2412	UpdaterBypass.exe	35
PID 2412 wrote to memory of 2888	2412	UpdaterBypass.exe	35
PID 2412 wrote to memory of 2888	2412	UpdaterBypass.exe	35
PID 2412 wrote to memory of 2888	2412	UpdaterBypass.exe	35

C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 10
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1296
- C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe"
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9lixklyg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sffgfpw7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Users\Admin\AppData\Local\Temp\9lixklyg.0.cs

Filesize
221B

MD5
1970d18f40cb77845e57803988ff5709

SHA1
9267ebd3ba029c74dd13d3fb28121de5012b09a2

SHA256
30d7b6904297e19bc0e668425754632c4f774b1d9e24fdcb18a98f7497ca826f

SHA512
30c13ca64c09acc354c96277f7e835fa7f4cfc7534caef04389f79eb5bf94c81a87fc7037b642ec8cee778b3d25e90fb8e05630befbfbb09f229a731fca93bf2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9lixklyg.cmdline

Filesize
258B

MD5
c40d94e7565ec58d0f333346dd28b4bf

SHA1
ff931d1730c1322826f550bf9fdd91d7dbc0fade

SHA256
0f7875d1f538ed81b624717dafe542ca9314e55b2cfde18819616c5e458d93f7

SHA512
2327e356a9b001e62f74908c4ff82649b78603c735a46f2d8ebf849900c7bbda17454b2287e777c53ed816fa7ad2ff27a8d68eebf91acb9f49bb219a1d572bea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sffgfpw7.0.cs

Filesize
222B

MD5
b2a3c1b910d9ad1d13e42acb2655366f

SHA1
9f05dfd1ea70f5913d88fa6e94a1a8db163434d8

SHA256
232b51f0a7d5cdacb9208dec5773200142c252d57f2293bb62faaa456a6583e2

SHA512
a9b5ab24e066ab0169262811ca005943a1bd0655368352f14afbb912a6086067e6c34dbc6e11fc0f54d593d9ebc5900d01f2d21713ac0806b40b9d7de899c289

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sffgfpw7.cmdline

Filesize
217B

MD5
6e89f332d5619916495658876db77799

SHA1
ef23ac1c2e0880020e6bd95ae620111dc4ba1b17

SHA256
83c50d1cdf2ae4f96500da03adbbad4aa2aef36119f3dfab716bff5b99f96749

SHA512
e5ee87ddbbd29aabae3567af536c770406c22386ef63b63ec4b0c9b6733e661a810b80e3ae2d098bd936fefe06170f8c09fd0bb3b81a30b61d167e13bacb996b

Download Submit
memory/2412-1-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-2-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-3-0x0000000074862000-0x0000000074864000-memory.dmp

Filesize
8KB

Download
memory/2412-4-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-32-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-0-0x0000000074862000-0x0000000074864000-memory.dmp

Filesize
8KB

Download
memory/2736-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download