nanocore | 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226

General

Target

4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
Size

629KB
MD5

280baa14b25c23e63122a4028928dff0
SHA1

8070c5e450768312a50c64be6edc386b009bea77
SHA256

4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226
SHA512

26b96a7b246c3abaa02a989ea1e90a9ede181133f8a1e1b9605b3812f1505527d4164e14c169c73773e5872881bfa512793cffb381110c4a3b4f160e307f0f6f
SSDEEP

12288:6dbG8Q1q8vDd/e6REdJqTu5XWN62tlN3d8SPzG2gvXqQ4tqXZUwxTJ:n8C7pecAMC5XKvNt8S7Nsy4FlJ

Score

10^/10

nanocore discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

pnauco5.ddns.net:1664

Mutex

cde38e58-d99c-4068-b775-59569bc2e8ce

Attributes

activate_away_mode
true
backup_connection_host
pnauco5.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-07-03T06:48:27.569053036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1664
default_group
NEW
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cde38e58-d99c-4068-b775-59569bc2e8ce
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
pnauco5.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1972	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Monitor = "C:\\Program Files (x86)\\IMAP Monitor\\imapmon.exe"	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
File opened for modification	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
1972	powershell.exe
2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1972	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	30
PID 2516 wrote to memory of 1972	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	30
PID 2516 wrote to memory of 1972	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	30
PID 2516 wrote to memory of 1972	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	30
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2516 wrote to memory of 2332	2516	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	32
PID 2332 wrote to memory of 2808	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	33
PID 2332 wrote to memory of 2808	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	33
PID 2332 wrote to memory of 2808	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	33
PID 2332 wrote to memory of 2808	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	33
PID 2332 wrote to memory of 2656	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	35
PID 2332 wrote to memory of 2656	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	35
PID 2332 wrote to memory of 2656	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	35
PID 2332 wrote to memory of 2656	2332	4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe	35

C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
"C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
  "C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "IMAP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4328.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2808
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "IMAP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp43D5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4328.tmp

Filesize
1KB

MD5
1ba3298e956e427c9e9e4bd39f6a4769

SHA1
29d0b963437e7c25ca335515dc23b8851b62bada

SHA256
ef5aaf504b9f3d6bfb28c79e91dec9f212a47971f28a269870c50590a32f00ab

SHA512
aa915d74ba0ede9d1c71dc2ae48ac4ea8b29f749b3e484554feb6c37e9481963f55905a15d05e75cb45a9e7889051121edaaa77bcee106160cb82e4619294d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43D5.tmp

Filesize
1KB

MD5
d2d6911d94b06e405e7687a2437eafec

SHA1
9f28f9e7d8d5179d44ddaa6ca266984ed7521dea

SHA256
2dc87169ad53fbdd7abb08f49777cb8fb05adbff4e6f6616b4c89942af8cad0f

SHA512
b5983de701ff98e944283a25f1770c1e792d52148dc1671f1d19203f8b9d10b056abcf79a17ca536a5f88ccf52f6445d8f3e75fce628666640ad8bad697dcfd1

Download Submit
memory/2332-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-39-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/2332-49-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-47-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-46-0x0000000001240000-0x0000000001254000-memory.dmp

Filesize
80KB

Download
memory/2332-18-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-45-0x0000000001210000-0x000000000123E000-memory.dmp

Filesize
184KB

Download
memory/2332-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-44-0x00000000011B0000-0x00000000011BE000-memory.dmp

Filesize
56KB

Download
memory/2332-20-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-43-0x0000000000FA0000-0x0000000000FB4000-memory.dmp

Filesize
80KB

Download
memory/2332-42-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/2332-30-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2332-31-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/2332-32-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2332-35-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2332-36-0x0000000000670000-0x000000000068A000-memory.dmp

Filesize
104KB

Download
memory/2332-37-0x0000000000C30000-0x0000000000C3E000-memory.dmp

Filesize
56KB

Download
memory/2332-38-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/2332-41-0x0000000000F80000-0x0000000000F94000-memory.dmp

Filesize
80KB

Download
memory/2332-40-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/2516-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-1-0x0000000001260000-0x0000000001304000-memory.dmp

Filesize
656KB

Download
memory/2516-3-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2516-19-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

Filesize
4KB

Download
memory/2516-6-0x0000000004A30000-0x0000000004AAA000-memory.dmp

Filesize
488KB

Download
memory/2516-5-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-4-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads