nanocore | 03f869fc2438617cbd973ac052b07fdef9b3f5d67e0df12a2e43307b6c477db0

General

Target

6EBE30726B851619E4F0D8762B09470D.exe
Size

772KB
MD5

6ebe30726b851619e4f0d8762b09470d
SHA1

9e84211962e9b46d7d09286213b808b6d614b326
SHA256

03f869fc2438617cbd973ac052b07fdef9b3f5d67e0df12a2e43307b6c477db0
SHA512

f87d30f94423d8a2d62ebaa6b701218c98350cd899b0532d350987c750df26cf83e9d6452890b15c4ae8e2bcba25813ed53fa62a044d22571f926c63a45962d8
SSDEEP

12288:qYCjROpcK2rLeDU+qcHwOsq5GRG+LrB38nq2YgNTCpCjFZg:qYCVOpJ2rLAj3VsXR9HBQNT7j/g

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

alertt.duckdns.org:6445

Mutex

d046c01c-51f5-4c8c-b5b9-b566d533dece

Attributes

activate_away_mode
true
backup_connection_host
alertt.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-11-18T08:12:48.987215636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6445
default_group
RollingStone
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d046c01c-51f5-4c8c-b5b9-b566d533dece
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
alertt.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 3 IoCs

Processes:

whutenyh.exewhutenyh.exewhutenyh.exe

pid	Process
2316	whutenyh.exe
1484	whutenyh.exe
1976	whutenyh.exe

Loads dropped DLL 3 IoCs

Processes:

6EBE30726B851619E4F0D8762B09470D.exewhutenyh.exe

pid	Process
2084	6EBE30726B851619E4F0D8762B09470D.exe
2316	whutenyh.exe
2316	whutenyh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

whutenyh.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgcluqavfoktdy = "C:\\Users\\Admin\\AppData\\Roaming\\cxhqm\\vfbkgpyuenjso.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\whutenyh.exe\" C:\\Users\\Admin\\AppData\\Loc"	whutenyh.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

whutenyh.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whutenyh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

whutenyh.exe

description	pid	Process	procid_target
PID 2316 set thread context of 1976	2316	whutenyh.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6EBE30726B851619E4F0D8762B09470D.exewhutenyh.exewhutenyh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6EBE30726B851619E4F0D8762B09470D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whutenyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whutenyh.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

whutenyh.exe

pid	Process
1976	whutenyh.exe
1976	whutenyh.exe
1976	whutenyh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

whutenyh.exe

pid	Process
1976	whutenyh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

whutenyh.exe

pid	Process
2316	whutenyh.exe
2316	whutenyh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

whutenyh.exe

description	pid	Process
Token: SeDebugPrivilege	1976	whutenyh.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

6EBE30726B851619E4F0D8762B09470D.exewhutenyh.exe

description	pid	Process	procid_target
PID 2084 wrote to memory of 2316	2084	6EBE30726B851619E4F0D8762B09470D.exe	31
PID 2084 wrote to memory of 2316	2084	6EBE30726B851619E4F0D8762B09470D.exe	31
PID 2084 wrote to memory of 2316	2084	6EBE30726B851619E4F0D8762B09470D.exe	31
PID 2084 wrote to memory of 2316	2084	6EBE30726B851619E4F0D8762B09470D.exe	31
PID 2316 wrote to memory of 1484	2316	whutenyh.exe	32
PID 2316 wrote to memory of 1484	2316	whutenyh.exe	32
PID 2316 wrote to memory of 1484	2316	whutenyh.exe	32
PID 2316 wrote to memory of 1484	2316	whutenyh.exe	32
PID 2316 wrote to memory of 1976	2316	whutenyh.exe	33
PID 2316 wrote to memory of 1976	2316	whutenyh.exe	33
PID 2316 wrote to memory of 1976	2316	whutenyh.exe	33
PID 2316 wrote to memory of 1976	2316	whutenyh.exe	33
PID 2316 wrote to memory of 1976	2316	whutenyh.exe	33

C:\Users\Admin\AppData\Local\Temp\6EBE30726B851619E4F0D8762B09470D.exe
"C:\Users\Admin\AppData\Local\Temp\6EBE30726B851619E4F0D8762B09470D.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\whutenyh.exe
  "C:\Users\Admin\AppData\Local\Temp\whutenyh.exe" C:\Users\Admin\AppData\Local\Temp\oktqpmhnaju.huc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\whutenyh.exe
    "C:\Users\Admin\AppData\Local\Temp\whutenyh.exe"
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\whutenyh.exe
    "C:\Users\Admin\AppData\Local\Temp\whutenyh.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oktqpmhnaju.huc

Filesize
7KB

MD5
2177027f57131203f050736afb2c7c14

SHA1
2d2c3244551ab67b79ce7c59c9a0427329d0aacf

SHA256
42c411f28b7485aa50c7e2a39c7bbab255d7cf8a8fb64ae34426cd4ee889da3b

SHA512
d34a4876a30a02180234621cdb993cddf100d0cd5ead5ca0c260a8ac14dbe950b961bbbf52060dbeea8aa54ebed18f9d69f297798e3dc34b6967f7a400050d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\orspcxr.sl

Filesize
300KB

MD5
ab8b786619a4f9aa9a8db1f1e3c673df

SHA1
3fbb8bb91ddfbc9989458327da20202cd9f2d97c

SHA256
7daa48f7955c173d9fd09f0713a24c4873e5e7f8a7250aa39e34505a040bfb8c

SHA512
43b8e6f1447c7fea4bdb3954eadc8e1b881172b874ba2a30372ac240f5a344c086595af75322c54ad478c6250578d43d592c5122296be1418d2cdac91d388088

Download Submit
\Users\Admin\AppData\Local\Temp\whutenyh.exe

Filesize
130KB

MD5
61797f40c55bf5a11a053fd14d634ff0

SHA1
b65974ee34bd5ad84cd144b251319f185f81dbc7

SHA256
9b893feff48da793e5a74b018ebc00ad7fd4391a546295fce95e1a090f1f18fe

SHA512
7b1175ccbe91bd1129bbef055c5f89cf12f06e5dc50f1e74fc6cff617ade3dfa703f553b1c6a7b1394cb9b07cfa947a31aee6bdb981d3f7bbcf10c0953fdc8fe

Download Submit
memory/1976-22-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-24-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-18-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1976-19-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1976-21-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/1976-31-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-23-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-15-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1976-25-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-26-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-28-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1976-29-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-30-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-8-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads