nanocore | 4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607

General

Target

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe
Size

399KB
MD5

153deb0e0ffc0b476d5bba8a69778dde
SHA1

4ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f
SHA256

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607
SHA512

00f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4
SSDEEP

6144:GSI/6NlBkO6avy/eiZ8y6lT+taYVZOq/y4bRwDJm1RU78h1ixeRd7:GSO6NlBkO6avy/eySdYNaNm1RU7vxC

Score

10^/10

nanocore evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

original-financial.gl.at.ply.gg:28916

Mutex

d516db18-d565-4fff-a872-0ad0fd1f18ca

Attributes

activate_away_mode
true
backup_connection_host
original-financial.gl.at.ply.gg
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-09-13T19:32:56.304391136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28916
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d516db18-d565-4fff-a872-0ad0fd1f18ca
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
2112	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2540	wlanext.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlanext.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2372	powershell.exe
2112	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe
Token: SeBackupPrivilege	2748	vssvc.exe
Token: SeRestorePrivilege	2748	vssvc.exe
Token: SeAuditPrivilege	2748	vssvc.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2540	wlanext.exe
Token: SeDebugPrivilege	2540	wlanext.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2372	2988	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	35
PID 2988 wrote to memory of 2372	2988	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	35
PID 2988 wrote to memory of 2372	2988	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	35
PID 2988 wrote to memory of 2112	2988	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	37
PID 2988 wrote to memory of 2112	2988	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	37
PID 2988 wrote to memory of 2112	2988	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	37
PID 1488 wrote to memory of 2540	1488	taskeng.exe	40
PID 1488 wrote to memory of 2540	1488	taskeng.exe	40
PID 1488 wrote to memory of 2540	1488	taskeng.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe
"C:\Users\Admin\AppData\Local\Temp\4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlanext.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlanext.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\taskeng.exe
taskeng.exe {005B6259-41C2-408F-8D43-8178BF953CE1} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Roaming\wlanext.exe
  C:\Users\Admin\AppData\Roaming\wlanext.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J5DSD4PIIWMRNTJFMFJZ.temp

Filesize
7KB

MD5
7722664107c56a24000171894d08678d

SHA1
58fd8ff8e375e4e9995eba4ba82c8a31edef0706

SHA256
523cb2532f1b70cee82ac705b038ef16cd7afa7e50e23fd582b394f29c8c61fa

SHA512
1783284de91c70c1c31c0511a5e742aa54ff2f5b236809c9c25896023d5899b4feea96a8ffca3a383cf1769135ba95f551f36abb91d9249a942e9980c71c3a99

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
399KB

MD5
153deb0e0ffc0b476d5bba8a69778dde

SHA1
4ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f

SHA256
4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607

SHA512
00f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4

Download Submit
memory/2112-15-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2112-14-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2372-8-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2372-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2540-24-0x0000000000FE0000-0x000000000104A000-memory.dmp

Filesize
424KB

Download
memory/2540-25-0x0000000000C00000-0x0000000000C3A000-memory.dmp

Filesize
232KB

Download
memory/2988-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2988-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-18-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2988-19-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-20-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-1-0x0000000000800000-0x000000000086A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing