nanocore | 5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2c04bb4-1039-4836-bca6-bd4211df1190.exe
Size

524KB
MD5

81ffddf2c1d7905204a67f6577e2dc68
SHA1

a89c37a3e12a46ac714887d509a1849791b4b244
SHA256

5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7
SHA512

b871a001fa251a9af36788ceda94ece6772a5f318120db5cada7643e66da7978d0a0f373ab271c15b45a0947f1161ee60284c0621e25e07ea81864a3c8945e4a
SSDEEP

6144:dLeno+U3zituONCfDq/ib4IKEQwpUgQ/Fn7r+DHZ8q6PTZKWCaYVZ6qXW4bPwDJr:sRC+ab4aQlhFnPA81X/Y1cNm+1v6pP

Score

10^/10

nanocore discovery evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

original-financial.gl.at.ply.gg:28916

Mutex

d516db18-d565-4fff-a872-0ad0fd1f18ca

Attributes

activate_away_mode
true
backup_connection_host
original-financial.gl.at.ply.gg
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-09-13T19:32:56.304391136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28916
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d516db18-d565-4fff-a872-0ad0fd1f18ca
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
760	powershell.exe
3668	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b2c04bb4-1039-4836-bca6-bd4211df1190.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	injection.exe

Executes dropped EXE 4 IoCs

pid	Process
748	111111111111111111111111111111111111.exe
1000	injection.exe
1108	Setup.exe
4736	wlanext.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	111111111111111111111111111111111111.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlanext.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	discord.com
16	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
3668	powershell.exe
3668	powershell.exe
760	powershell.exe
760	powershell.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe
748	111111111111111111111111111111111111.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
748	111111111111111111111111111111111111.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	injection.exe
Token: SeDebugPrivilege	748	111111111111111111111111111111111111.exe
Token: SeBackupPrivilege	3248	vssvc.exe
Token: SeRestorePrivilege	3248	vssvc.exe
Token: SeAuditPrivilege	3248	vssvc.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	4736	wlanext.exe
Token: SeDebugPrivilege	4736	wlanext.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 748	400	b2c04bb4-1039-4836-bca6-bd4211df1190.exe	83
PID 400 wrote to memory of 748	400	b2c04bb4-1039-4836-bca6-bd4211df1190.exe	83
PID 400 wrote to memory of 748	400	b2c04bb4-1039-4836-bca6-bd4211df1190.exe	83
PID 400 wrote to memory of 1000	400	b2c04bb4-1039-4836-bca6-bd4211df1190.exe	84
PID 400 wrote to memory of 1000	400	b2c04bb4-1039-4836-bca6-bd4211df1190.exe	84
PID 400 wrote to memory of 1108	400	b2c04bb4-1039-4836-bca6-bd4211df1190.exe	85
PID 400 wrote to memory of 1108	400	b2c04bb4-1039-4836-bca6-bd4211df1190.exe	85
PID 400 wrote to memory of 1108	400	b2c04bb4-1039-4836-bca6-bd4211df1190.exe	85
PID 1000 wrote to memory of 3668	1000	injection.exe	91
PID 1000 wrote to memory of 3668	1000	injection.exe	91
PID 1000 wrote to memory of 760	1000	injection.exe	93
PID 1000 wrote to memory of 760	1000	injection.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b2c04bb4-1039-4836-bca6-bd4211df1190.exe
"C:\Users\Admin\AppData\Local\Temp\b2c04bb4-1039-4836-bca6-bd4211df1190.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
  "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Users\Admin\AppData\Local\Temp\injection.exe
  "C:\Users\Admin\AppData\Local\Temp\injection.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlanext.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlanext.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Users\Admin\AppData\Roaming\wlanext.exe
C:\Users\Admin\AppData\Roaming\wlanext.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe

Filesize
209KB

MD5
9258d024ee6fbfe283978e89e25cbc50

SHA1
123f1309dbc98824ec2ebb12f9883a07b873820e

SHA256
392a00e29a7305ead657c6c10d80b446f8b6bfe25a171e63e43439695f40410a

SHA512
993b2a16cfdc8dbd99753349f923a6baf1e801f79d7fb6aa39e15f617b4f798f355a9edddc9e7579ece562e1c254299e974ac46e70efe576a0985554fec15913

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
124KB

MD5
fb47cb26a0c7480148a8d0c8f8e01be1

SHA1
bff6e89f3f724f79b136a4af7e6be03ff8d945e8

SHA256
255472e23f31eebe810f217212bf9caa39a30cac423dbe9893b554308da7db4b

SHA512
59bf831d10f9b2787e8152c2eea2abc8d131a9b45986da21d0cd6b38b43907becad39c332ed2c251bb3c28c14bfa022a7635487230a1f8643fb7ac20f1518ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ed2dqto.4p0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\injection.exe

Filesize
399KB

MD5
153deb0e0ffc0b476d5bba8a69778dde

SHA1
4ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f

SHA256
4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607

SHA512
00f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4

Download Submit
C:\Users\Admin\AppData\Roaming\A4172161-D53D-48AF-8F36-A00B057E74D4\catalog.dat

Filesize
248B

MD5
061e700fe27d852034a5a44bf5985ccf

SHA1
15b072de6d6fdd92ae36f074345fa41985833e8d

SHA256
4bbb88af530693eb4a710b0591d4baf585837242c5690f5a821bf2fc9cc587cd

SHA512
cf6c5458ab50c859740490985d1e7e887d1116f3fa947ff2ec49af9997a42f3402c63ef42b93498544195d9859fbb19ccc295966564b30f5adb4a36d4e8886c6

Download Submit
C:\Users\Admin\AppData\Roaming\A4172161-D53D-48AF-8F36-A00B057E74D4\run.dat

Filesize
8B

MD5
c75162a192a239cb4748974c61f91bd4

SHA1
e3a6afe237bf05913514e56c3d4cfc06d640068a

SHA256
2d9356c0f5c0402f89e9b06d655e0dd7d809bec07ecc20f9ce137feb10ada9f9

SHA512
def977ac5f00b67bdcfcd1d321f17d5d0b27a0eba993a3262934078cfb21302c03e1c5bbeaf29c5aea30433fc30e3021297eb411fd893cf75ea3affca3dbff04

Download Submit
C:\Users\Admin\AppData\Roaming\A4172161-D53D-48AF-8F36-A00B057E74D4\storage.dat

Filesize
423KB

MD5
7f0642b40d7f2ee4cf9d08601762f280

SHA1
db0a55e900fb8ab637f84815e8100de9ba391810

SHA256
e6a52cf6101cd8a5b0b276ba0507ab1fa3203267b842c4534f28f37ada40c02a

SHA512
108eb480e9ad78b3dd9783ed536b1406eb390f10cafe0e95f26da86d08b4e006fffce8ea389f87f4e6d92b0bfda20ea8fd0bd6094d7e6ea773807d0adbe1c2e1

Download Submit
memory/400-38-0x00007FF8D0500000-0x00007FF8D0FC1000-memory.dmp

Filesize
10.8MB

Download
memory/400-0-0x00007FF8D0503000-0x00007FF8D0505000-memory.dmp

Filesize
8KB

Download
memory/400-15-0x00007FF8D0500000-0x00007FF8D0FC1000-memory.dmp

Filesize
10.8MB

Download
memory/400-1-0x0000000000F00000-0x0000000000F88000-memory.dmp

Filesize
544KB

Download
memory/748-80-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/748-39-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/748-79-0x0000000074F32000-0x0000000074F34000-memory.dmp

Filesize
8KB

Download
memory/748-36-0x0000000001760000-0x0000000001770000-memory.dmp

Filesize
64KB

Download
memory/748-37-0x0000000074F32000-0x0000000074F34000-memory.dmp

Filesize
8KB

Download
memory/748-78-0x0000000001760000-0x0000000001770000-memory.dmp

Filesize
64KB

Download
memory/1000-31-0x0000000000050000-0x00000000000BA000-memory.dmp

Filesize
424KB

Download
memory/1000-74-0x00007FF8D0500000-0x00007FF8D0FC1000-memory.dmp

Filesize
10.8MB

Download
memory/1000-35-0x00007FF8D0500000-0x00007FF8D0FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-43-0x00000295F4240000-0x00000295F4262000-memory.dmp

Filesize
136KB

Download
memory/4736-73-0x00000000015E0000-0x000000000161A000-memory.dmp

Filesize
232KB

Download