nanocore | 83f236697e7b0dfcee1ce446703941574e7c292fea304afdb3613d7c5141f17d

General

Target

Chrome.exe
Size

822KB
MD5

dfe9a9f1b8384990ac9b8f44c9305a9b
SHA1

2e1d01fe1920197aa484b98deba38d32c9cdcac0
SHA256

9bd6b2b7a07de015273594db5e1702fc25f7ef32c7e53db44845d0a6f3296ac5
SHA512

3d46375ae06808ba1ad3fd1c4796ca2da753f99fb02dca879b1c56c9e07cd950a684c6629551fa9d6cfbc86b619f6de2a4d97b5547397addf41f3ff8f7228e11
SSDEEP

12288:1X81XL3K8KysjJS+yeHMm9jA1Qcp8ujw6kVNZDXxVs4iP9ZoFD5Li46G:E+GesuiUNNkIFgpG

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

haxorbaba.duckdns.org:1604

Mutex

68d0d384-24c7-4c4a-b00a-25fe172797c1

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2016-05-25T14:42:31.650976636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
3994
connection_port
1604
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
haxorbaba.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe"	Chrome.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Chrome.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 1864	1304	Chrome.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DSL Manager\dslmgr.exe	Chrome.exe
File created	C:\Program Files (x86)\DSL Manager\dslmgr.exe	Chrome.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2264	schtasks.exe
628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1864	Chrome.exe
1864	Chrome.exe
1864	Chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1864	Chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	Chrome.exe
Token: SeDebugPrivilege	1864	Chrome.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1304 wrote to memory of 1864	1304	Chrome.exe	30
PID 1864 wrote to memory of 2264	1864	Chrome.exe	31
PID 1864 wrote to memory of 2264	1864	Chrome.exe	31
PID 1864 wrote to memory of 2264	1864	Chrome.exe	31
PID 1864 wrote to memory of 2264	1864	Chrome.exe	31
PID 1864 wrote to memory of 628	1864	Chrome.exe	33
PID 1864 wrote to memory of 628	1864	Chrome.exe	33
PID 1864 wrote to memory of 628	1864	Chrome.exe	33
PID 1864 wrote to memory of 628	1864	Chrome.exe	33

C:\Users\Admin\AppData\Local\Temp\Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\Chrome.exe
  C:\Users\Admin\AppData\Local\Temp\Chrome.exe
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DSL Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB847.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2264
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DSL Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB990.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB847.tmp

Filesize
1KB

MD5
57ef41cc35a47d5ff922ec5a0d06aaa7

SHA1
0ae2172ca0e2578109243328ee57a68190252578

SHA256
ba13669de506ecfb43f5dc2b2acb6f392ad3d7daf9c9ad1c56359c6405de3a07

SHA512
58bdff3f27838934400b3bc21e69d8c2dfdcb0d5afc9ef5f4b0b5da83df603952abd6e804c3abcd50657f1c91dabc647d999f3d24b0b73990e3bd3abffddfa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB990.tmp

Filesize
1KB

MD5
a0bcaf1694d4fcae2c44258530850f35

SHA1
99e9ccea3a9dca8d94808f6488fdc37c0b3bfe73

SHA256
099c4a82d8e8ddf5ff801a8f08fb5a143834506e936ce846b380a42eb24e888e

SHA512
ad3f2fbc09f7d57c24a35a62f00251c93d480e065f3b7fbc7133736cb144a3031fdc9f3e8be8a1c6dcdb8b3def654618faab416f66a28628ab71e55de4df0da3

Download Submit
memory/1304-8-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1304-1-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1304-2-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1304-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

Filesize
4KB

Download
memory/1864-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1864-9-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1864-11-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1864-10-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1864-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1864-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1864-19-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads