nanocore | 9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5

General

Target

9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5.exe
Size

1.1MB
MD5

5d7b948a847dbd220c4bb1eef51800dc
SHA1

05d8c469e46ce175d7b66b4af184752e2118d2e3
SHA256

9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5
SHA512

22e04911e03fcdead92675aaa1800dcbf26a4715155c27ce1bfac6248fea099946557caf52d52bb8082056b2b2ebe8672fd1b08def57e83b05ddf2fcab3c51c1
SSDEEP

24576:rAOcZEhmmq7Yryvvaysx+C0SUKHjTq6ai0bagi7xa5Wq:t5IvaPxABKHjTq6d4a5wR

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

strongodss.ddns.net:48562

185.19.85.175:48562

Mutex

ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6

Attributes

activate_away_mode
false
backup_connection_host
185.19.85.175
backup_dns_server
buffer_size
65538
build_time
2021-04-20T00:12:13.961451136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
48562
default_group
HOBBIT
enable_debug_mode
true
gc_threshold
1.0485772e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.0485772e+07
mutex
ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
strongodss.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8009

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5.exe

Executes dropped EXE 2 IoCs

pid	Process
4648	jlah.pif
3224	RegSvcs.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\39027638\\jlah.pif C:\\Users\\Admin\\AppData\\Roaming\\39027638\\LKBJRI~1.CRM"	jlah.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\39027638\\Update.vbs"	jlah.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe"	RegSvcs.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4648 set thread context of 3224	4648	jlah.pif	92

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DHCP Host\dhcphost.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\DHCP Host\dhcphost.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jlah.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4880	schtasks.exe
4780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3224	RegSvcs.exe
3224	RegSvcs.exe
3224	RegSvcs.exe
3224	RegSvcs.exe
3224	RegSvcs.exe
3224	RegSvcs.exe
3224	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3224	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	RegSvcs.exe
Token: SeDebugPrivilege	3224	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 4648	2248	9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5.exe	83
PID 2248 wrote to memory of 4648	2248	9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5.exe	83
PID 2248 wrote to memory of 4648	2248	9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5.exe	83
PID 4648 wrote to memory of 3224	4648	jlah.pif	92
PID 4648 wrote to memory of 3224	4648	jlah.pif	92
PID 4648 wrote to memory of 3224	4648	jlah.pif	92
PID 4648 wrote to memory of 3224	4648	jlah.pif	92
PID 4648 wrote to memory of 3224	4648	jlah.pif	92
PID 3224 wrote to memory of 4880	3224	RegSvcs.exe	93
PID 3224 wrote to memory of 4880	3224	RegSvcs.exe	93
PID 3224 wrote to memory of 4880	3224	RegSvcs.exe	93
PID 3224 wrote to memory of 4780	3224	RegSvcs.exe	95
PID 3224 wrote to memory of 4780	3224	RegSvcs.exe	95
PID 3224 wrote to memory of 4780	3224	RegSvcs.exe	95

C:\Users\Admin\AppData\Local\Temp\9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5.exe
"C:\Users\Admin\AppData\Local\Temp\9e90ec0fbcb09abea7ba753c13340723437dcabfee11325ccb13c760930234f5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Roaming\39027638\jlah.pif
  "C:\Users\Admin\AppData\Roaming\39027638\jlah.pif" lkbjriilda.crm
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4880
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpACEA.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp

Filesize
1KB

MD5
95aceabc58acad5d73372b0966ee1b35

SHA1
2293b7ad4793cf574b1a5220e85f329b5601040a

SHA256
8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4

SHA512
00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpACEA.tmp

Filesize
1KB

MD5
0479d5f304ef2d7e3c15fb24a99f88c1

SHA1
8edbb1450a656fac5f5e96779ffe440ee8c1aec9

SHA256
112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc

SHA512
537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15

Download Submit
C:\Users\Admin\AppData\Roaming\39027638\jlah.pif

Filesize
758KB

MD5
8935e163bb79e8d4b40b73521a06a0d1

SHA1
dfd9f6cd5dabf0c2fae0186b5471f025f542c708

SHA256
3a2b62144b3b6bc612770de7777233c96ea35e50e9fd7b0b482862825d728fdb

SHA512
76620b23fe5f2bcc783bcbd7fb27a68a171751a96b459f757045f80e027d452724c73292a008acad58eb58b6eb99dddf82130a83e761e35b7e5c4d89b058d175

Download Submit
C:\Users\Admin\AppData\Roaming\39027638\qjestopcw.iok

Filesize
420KB

MD5
62a8085ffac783e39c5dfe5d8e45d5b2

SHA1
4b4f0210fe85b783e0c9e3792aab7c3b2f657944

SHA256
55933b33de23d816190632168e3dbcf5455b2e0100a1aa71a9eb4929becc7867

SHA512
c75eb0cb77c278cf5ef3c311ec040c4186277e8a28c088491099a37091fd6233b887b11628cc5d10ece510249eeb3bc3aed8d6cd140968aa2fd928e66ecc65c9

Download Submit
C:\Users\Admin\AppData\Roaming\39027638\ungipniv.exe

Filesize
65KB

MD5
831808ca1f13df608de284cba4d9dfed

SHA1
cb9902cc9f49755a592bd1abcfc874725aa8fde3

SHA256
a637d08e7c9b55b699ee1097b26b18bf4f4f79d01d464656a51f29b9d0ee773e

SHA512
73dda943b1432284d57396d3d1eec68e2cffbf25ff12db44cdf2b5f72d16422d8eca3fcbd0d49ec159e99d48b5c10c16faca0c1468bafe4c4f51cc7fd8b7e232

Download Submit
memory/3224-68-0x0000000000700000-0x0000000000C8C000-memory.dmp

Filesize
5.5MB

Download
memory/3224-73-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/3224-74-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/3224-75-0x0000000005490000-0x000000000552C000-memory.dmp

Filesize
624KB

Download
memory/3224-76-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/3224-72-0x0000000000700000-0x000000000073A000-memory.dmp

Filesize
232KB

Download
memory/3224-71-0x000000007248E000-0x000000007248F000-memory.dmp

Filesize
4KB

Download
memory/3224-84-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/3224-85-0x0000000005630000-0x000000000563C000-memory.dmp

Filesize
48KB

Download
memory/3224-86-0x0000000005690000-0x00000000056AE000-memory.dmp

Filesize
120KB

Download
memory/3224-87-0x00000000064A0000-0x00000000064AA000-memory.dmp

Filesize
40KB

Download
memory/3224-88-0x000000007248E000-0x000000007248F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads