nanocore | 50d9e490042d226bfaeef0b39c7903d4e166803fd743f6e6a7a6c2aaadfd933c

Analysis

max time kernel
144s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rekt/Rekt/UpdaterBypass.exe
Size

272KB
MD5

466b0d1009bfef71e27740092bc4c286
SHA1

66754e3aaf8128a790f9ddebf9f6830fc0db24cd
SHA256

0af94596f1f3bfb0b3b1d61bf7bedf28347254e5e5e1e8a07110f26e07f8b3cc
SHA512

86ec2fe6ac85a83572753ddb0ed93bdfe1e81b3c955476b3e9a54345b1cc3ab1c3f86f18a61cc7e6ecb8774e07b69f7dcf754afb5e8e23ad17409cde529258d2
SSDEEP

6144:iMhANGQqRGT1HPRPAeZID3ziZSzlGYnC939:hhANyg1HdAeZIviZSzlG6

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

XeKush32.chickenkiller.com:63072

127.0.0.1:63072

Mutex

9a386a9b-a46f-49c4-91d6-d82c1b252ecb

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2015-04-05T08:02:20.893902836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
63072
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9a386a9b-a46f-49c4-91d6-d82c1b252ecb
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
XeKush32.chickenkiller.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	UpdaterBypass.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UpdaterBypass.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 4632	2272	UpdaterBypass.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdaterBypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdaterBypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4544	cmd.exe
3364	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3364	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4632	UpdaterBypass.exe
4632	UpdaterBypass.exe
4632	UpdaterBypass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4632	UpdaterBypass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	UpdaterBypass.exe
Token: SeDebugPrivilege	4632	UpdaterBypass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4544	2272	UpdaterBypass.exe	86
PID 2272 wrote to memory of 4544	2272	UpdaterBypass.exe	86
PID 2272 wrote to memory of 4544	2272	UpdaterBypass.exe	86
PID 4544 wrote to memory of 3364	4544	cmd.exe	88
PID 4544 wrote to memory of 3364	4544	cmd.exe	88
PID 4544 wrote to memory of 3364	4544	cmd.exe	88
PID 2272 wrote to memory of 4632	2272	UpdaterBypass.exe	92
PID 2272 wrote to memory of 4632	2272	UpdaterBypass.exe	92
PID 2272 wrote to memory of 4632	2272	UpdaterBypass.exe	92
PID 2272 wrote to memory of 4632	2272	UpdaterBypass.exe	92
PID 2272 wrote to memory of 4632	2272	UpdaterBypass.exe	92
PID 2272 wrote to memory of 4632	2272	UpdaterBypass.exe	92
PID 2272 wrote to memory of 4632	2272	UpdaterBypass.exe	92
PID 2272 wrote to memory of 4632	2272	UpdaterBypass.exe	92
PID 2272 wrote to memory of 1488	2272	UpdaterBypass.exe	93
PID 2272 wrote to memory of 1488	2272	UpdaterBypass.exe	93
PID 2272 wrote to memory of 1488	2272	UpdaterBypass.exe	93
PID 2272 wrote to memory of 3272	2272	UpdaterBypass.exe	95
PID 2272 wrote to memory of 3272	2272	UpdaterBypass.exe	95
PID 2272 wrote to memory of 3272	2272	UpdaterBypass.exe	95

C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 10
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3364
- C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe"
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y7ezfuvs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zrnjsebg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Users\Admin\AppData\Local\Temp\y7ezfuvs.0.cs

Filesize
221B

MD5
1970d18f40cb77845e57803988ff5709

SHA1
9267ebd3ba029c74dd13d3fb28121de5012b09a2

SHA256
30d7b6904297e19bc0e668425754632c4f774b1d9e24fdcb18a98f7497ca826f

SHA512
30c13ca64c09acc354c96277f7e835fa7f4cfc7534caef04389f79eb5bf94c81a87fc7037b642ec8cee778b3d25e90fb8e05630befbfbb09f229a731fca93bf2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y7ezfuvs.cmdline

Filesize
258B

MD5
72663f3277fbac5a9662db5eb2d39aff

SHA1
e6f9fb579a79678fa187d76e0f606b8f6f8865ba

SHA256
dfd14a792c1c87a839c40716dcda53d7f18c8dda2a70daa3a4efa3f27cef1342

SHA512
a7f1fbc749ad2a125014e3f9dfd4638bfbeac32eafc46d31df8832c528eb9e683a1484246151fb6b89d7b08264937337298f2a599b922520523104f1c69d3523

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zrnjsebg.0.cs

Filesize
222B

MD5
b2a3c1b910d9ad1d13e42acb2655366f

SHA1
9f05dfd1ea70f5913d88fa6e94a1a8db163434d8

SHA256
232b51f0a7d5cdacb9208dec5773200142c252d57f2293bb62faaa456a6583e2

SHA512
a9b5ab24e066ab0169262811ca005943a1bd0655368352f14afbb912a6086067e6c34dbc6e11fc0f54d593d9ebc5900d01f2d21713ac0806b40b9d7de899c289

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zrnjsebg.cmdline

Filesize
217B

MD5
4ef523c0a484a2d4a0d4f1d603938115

SHA1
6058b9b9115a9147c5ff31a0ec71e23990e4f2a7

SHA256
371ebc9aa34f173ca00ba92562d74569a656d95959f88a0f8ef7ab38b92c4183

SHA512
a402bd066d875ba867c68463156004da7aeabb56f72aa2c0f504d41cdfdaa9c494eb18ccbd4ac7fb6c26cd0ca273730283699a9efac939c1d781ff7b10f6dd7a

Download Submit
memory/2272-4-0x0000000075472000-0x0000000075473000-memory.dmp

Filesize
4KB

Download
memory/2272-5-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2272-0-0x0000000075472000-0x0000000075473000-memory.dmp

Filesize
4KB

Download
memory/2272-3-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2272-2-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2272-1-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2272-26-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4632-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4632-10-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4632-11-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4632-12-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4632-27-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download