nanocore | d329235b98441762a8d76507e5f057682b55f2cf2773936983860c86591b9f5c

General

Target

PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe
Size

232KB
MD5

d07af779817b39b6bcbc1fcdf2975251
SHA1

488bfa62a2fd93f5b1be98a3bc47c9bed90bfbf6
SHA256

3bd22b44d0b4a141383986eeef066479164316ab6dc14ce6c9c95365784e617b
SHA512

40dd24bb9159c21470098eb8272dd7c36f0e6c1b2f5a297bc3a5df53d740d758fc978259b7c6df26835f1bf01568a01e9c07e65316b8fe97506e4c170ad43d33
SSDEEP

3072:is7WyoaEZqhKH0oLRLlE/BP2Z1WbYb6VkJxWpFTT/0wmFT/3B5oRtHe8iG9/BPmy:3Roa/hK7X82BblY/T/2J5oRDN9JuftOB

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

swizz666.ddns.net:4141

127.0.0.1:4141

Mutex

9e2d87fd-dfa6-4561-95f1-b9bc43662991

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
37.235.1.177
buffer_size
65535
build_time
2019-10-18T17:09:04.973830336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4141
default_group
LORDLORD
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9e2d87fd-dfa6-4561-95f1-b9bc43662991
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
swizz666.ddns.net
primary_dns_server
37.235.1.174
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	37.235.1.177
Destination IP	37.235.1.177
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.177
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.177
Destination IP	37.235.1.177
Destination IP	37.235.1.174

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Manager = "C:\\Program Files (x86)\\UDP Manager\\udpmgr.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Manager\udpmgr.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\UDP Manager\udpmgr.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe
1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe
1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe
1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe
2524	RegAsm.exe
2524	RegAsm.exe
2524	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2524	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30
PID 1620 wrote to memory of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30
PID 1620 wrote to memory of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30
PID 1620 wrote to memory of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30
PID 1620 wrote to memory of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30
PID 1620 wrote to memory of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30
PID 1620 wrote to memory of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30
PID 1620 wrote to memory of 2524	1620	PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe	30

C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1620-0-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/1620-1-0x0000000000080000-0x0000000000085000-memory.dmp

Filesize
20KB

Download
memory/1620-2-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-29-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1620-28-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1620-27-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1620-26-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1620-25-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/1620-24-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-23-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1620-22-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-21-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-20-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-19-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-18-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-17-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-16-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-15-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-14-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-13-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-12-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-11-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-10-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-9-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-8-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-7-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-6-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-5-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-4-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1620-3-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2524-30-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-35-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2524-36-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/2524-37-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads