nanocore | 18746bec927d202a23373265d257375e2e5dee63ebe7e9aeea04ae7fef1af9ba

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe
Size

9.1MB
MD5

1667004ead4ad93800ac138048af7e07
SHA1

411f5b9ba3f15135708ceca944be9f11a4b55344
SHA256

378b4b25bf3fa10b91b990eb8bd406d38bc137082f84d85a38b034e51ecafaca
SHA512

7a211a2e453d63f9f4ba771b9be7c95596a79b329a79287cf2d9c88961e63d67923310f8f360736238ed62a4240cce94101b324c76779865813221adcc36f2d1
SSDEEP

196608:wtcC5VFnCotXQ6o2UrnLIUwZIaWAxKSCNCDyRpW+XErj:1+VFnCiAP2UrnLrwZ/WAxKSHDyRU+6j

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

novachrono.dyndns-ip.com:51398

fuevermili.hopto.org:51398

Mutex

9627608b-ae15-45b3-84dc-de306f82e6b1

Attributes

activate_away_mode
true
backup_connection_host
fuevermili.hopto.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-15T18:50:29.402155836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
51398
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9627608b-ae15-45b3-84dc-de306f82e6b1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
novachrono.dyndns-ip.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 6 IoCs

pid	Process
2956	data-com.exe
2732	Audiostudio150.exe
2136	com-win867.exe
2896	netshare-winw.exe
1748	repair-winv.exe
1036	com-win867.exe

Loads dropped DLL 25 IoCs

pid	Process
2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe
2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2956	data-com.exe
2896	netshare-winw.exe
2136	com-win867.exe
2136	com-win867.exe
2896	netshare-winw.exe
2136	com-win867.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	com-win867.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 1036	2136	com-win867.exe	35

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000195bb-28.dat	upx
behavioral1/memory/2732-50-0x0000000140000000-0x0000000141FEA000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\data-com.exe	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe
File opened for modification	C:\Program Files (x86)\Audiostudio150\Audiostudio150\Audiostudio150.exe	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	2896	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	com-win867.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netshare-winw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	repair-winv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	com-win867.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data-com.exe

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a000000016d69-41.dat	nsis_installer_1
behavioral1/files/0x000a000000016d69-41.dat	nsis_installer_2
behavioral1/files/0x000800000001756e-53.dat	nsis_installer_1
behavioral1/files/0x000800000001756e-53.dat	nsis_installer_2
behavioral1/files/0x00060000000195bd-87.dat	nsis_installer_1
behavioral1/files/0x00060000000195bd-87.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2896	netshare-winw.exe
2896	netshare-winw.exe
2896	netshare-winw.exe
2896	netshare-winw.exe
2136	com-win867.exe
2136	com-win867.exe
2136	com-win867.exe
2136	com-win867.exe
1036	com-win867.exe
1036	com-win867.exe
1036	com-win867.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1036	com-win867.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2136	com-win867.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	com-win867.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2956	2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe	29
PID 2328 wrote to memory of 2956	2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe	29
PID 2328 wrote to memory of 2956	2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe	29
PID 2328 wrote to memory of 2956	2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe	29
PID 2328 wrote to memory of 2732	2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe	30
PID 2328 wrote to memory of 2732	2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe	30
PID 2328 wrote to memory of 2732	2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe	30
PID 2328 wrote to memory of 2732	2328	378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe	30
PID 2956 wrote to memory of 2136	2956	data-com.exe	31
PID 2956 wrote to memory of 2136	2956	data-com.exe	31
PID 2956 wrote to memory of 2136	2956	data-com.exe	31
PID 2956 wrote to memory of 2136	2956	data-com.exe	31
PID 2956 wrote to memory of 2896	2956	data-com.exe	33
PID 2956 wrote to memory of 2896	2956	data-com.exe	33
PID 2956 wrote to memory of 2896	2956	data-com.exe	33
PID 2956 wrote to memory of 2896	2956	data-com.exe	33
PID 2956 wrote to memory of 1748	2956	data-com.exe	34
PID 2956 wrote to memory of 1748	2956	data-com.exe	34
PID 2956 wrote to memory of 1748	2956	data-com.exe	34
PID 2956 wrote to memory of 1748	2956	data-com.exe	34
PID 2136 wrote to memory of 1036	2136	com-win867.exe	35
PID 2136 wrote to memory of 1036	2136	com-win867.exe	35
PID 2136 wrote to memory of 1036	2136	com-win867.exe	35
PID 2136 wrote to memory of 1036	2136	com-win867.exe	35
PID 2896 wrote to memory of 2416	2896	netshare-winw.exe	36
PID 2896 wrote to memory of 2416	2896	netshare-winw.exe	36
PID 2896 wrote to memory of 2416	2896	netshare-winw.exe	36
PID 2896 wrote to memory of 2416	2896	netshare-winw.exe	36
PID 2136 wrote to memory of 1036	2136	com-win867.exe	35

C:\Users\Admin\AppData\Local\Temp\378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe
"C:\Users\Admin\AppData\Local\Temp\378B4B25BF3FA10B91B990EB8BD406D38BC137082F84D85A38B034E51ECAFACA.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files (x86)\Common Files\data-com.exe
  "C:\Program Files (x86)\Common Files\data-com.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\com-win867.exe
    "C:\Users\Admin\AppData\Local\Temp\com-win867.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\com-win867.exe
      "C:\Users\Admin\AppData\Local\Temp\com-win867.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1036
- - C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe
    "C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 524
      4⤵
      Loads dropped DLL
      Program crash
      PID:2416
- - C:\Users\Admin\AppData\Local\Temp\repair-winv.exe
    "C:\Users\Admin\AppData\Local\Temp\repair-winv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1748
- C:\Program Files (x86)\Audiostudio150\Audiostudio150\Audiostudio150.exe
  "C:\Program Files (x86)\Audiostudio150\Audiostudio150\Audiostudio150.exe"
  2⤵
  - Executes dropped EXE
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
907KB

MD5
ab5679b79d46d21152e2c84d28f6854a

SHA1
e8395499bea48ce23b7a5b4ea08d611a4bf4598d

SHA256
84f479e7889de3be0753433e348189fd85b40777b650df0cd55c843e1f82f72d

SHA512
19479114ea1fb8c10e02462cfec7c959505673f8f8aa8bcdb04927e024725f1dfd4e20702d9e29bb9fa5399b2bf9770040a925553f0c846f92820708104bad87

Download Submit
C:\Users\Admin\AppData\Local\Temp\50x50.jpg

Filesize
990B

MD5
ca6477ef69993246149bd34b857651db

SHA1
01411f9b09d58c6ea7f4068ace6207db4fb1b46f

SHA256
10c7923013668a793ba279dff60675fde5077234e5b2be84dd7c297d43540ad6

SHA512
02e5c2b806f58774e3f5b7d0b71c2c3ced543170ab643d211a6839ddb82676a88a321bfcccc65700272b0b9595193d8c2573bf7f477b945d1a8e798e7f7226fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.md

Filesize
1KB

MD5
0b61e9b2d174d66a91074558158d061c

SHA1
93d625d555981387466aca8018075b1195496b9c

SHA256
20d1cea77432e36ac12c16a2636344d92fab61c3f349444f3a7808ab3f57a1ac

SHA512
6ad59fd9f375d5e2b0e92ecb60406523f9333fff8a837963fb685ed3bf40f888c2d4847d4be6cfda16e1bfc668eb21d2724d073504af1bbf82a18aca58e9577f

Download Submit
C:\Users\Admin\AppData\Local\Temp\com-win867.exe

Filesize
454KB

MD5
ece598774bd28cbe3caa0ee1f2212725

SHA1
48433d51044b0d1c9e802a6c95f9c994b5b0a142

SHA256
7ed2531a506e24a014493c92de25ca92fe712aa71a2ce981b14f25e053d5d5b6

SHA512
29aad65aa5827996bfd1ffb932803f2691450aeede912c0e6f60712af8b622b517b440bade503fbc076bb4245817fba1823bb54b1fadaddaab4c3057ca91b70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.png

Filesize
6KB

MD5
a7032131575edf08d718f4d3a1343e99

SHA1
4f6fef19c9b8f75f9e962fd3c78e92cd3b836446

SHA256
8a4bd6e4675e40248040db34c43fbf4bf7f8d0a67404efb4bed3d7a47f2c6dbd

SHA512
a6f47acff9d8b1bf48f9c8f3a64b75a8f3e5be071ac378eaa46252eaf27c84b075347ae052390ed892f17d820d7fda7a516298b787cda02718cd47bcf8c0a0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\repair-winv.exe

Filesize
502KB

MD5
3436f616a07a2d43b067b0c7a9ee0aab

SHA1
9acc3914853a04bfc795d8d97e7862ae0d873276

SHA256
fc3a8e4291ca21ecc1f28995bf8834e46aeddfafaf959413b2b9cd2ab87f51e3

SHA512
eb51df5c9855cc0dc310a2ea08b46e3b6b5aa190cc84e2ff6ccbc9b670352b099b35464fcad2b300086c74174fcd0105f6deb5fd6d9f96205a529f8d6b375c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrcvb.dll

Filesize
10KB

MD5
0c9759f952b48ce3b6ea9ab6e8c74ec8

SHA1
2bc4e9b133ef7dcef59a170e81ec8ea329366b39

SHA256
fb17899c01dc5b01d78a45ac7ada23742285894c57cf957688a8b0aeb79044f3

SHA512
1d8339f065140053505d6080959015d851ca442d88a44dfdc0e26a5e5c53ae03d555a1ff308cd6072e1fd73e3f60aeb8752cde8e0b704d321203bf548b85eef9

Download Submit
\Program Files (x86)\Audiostudio150\Audiostudio150\Audiostudio150.exe

Filesize
13.0MB

MD5
590df55c4f894691f20ddb1c9fa1c7fb

SHA1
dd7ca54ec97c5934296e48a16eebca48c4ce2715

SHA256
b67a628a0b08dee1e706cbdf7fd34a96bf4762fdff82847e4b3dfaa93bdbd9de

SHA512
f7f4d22cbd0a3e118ddf5ae7818c06a70944fb876b22dddc336d914865ea7802bc3a984cb5e4e777994e791e0100d1c924e8528440aa28a4fb3c04ae68beb9f0

Download Submit
\Program Files (x86)\Common Files\data-com.exe

Filesize
1.6MB

MD5
c4f5279ac008bd516fac948b9ed07ef4

SHA1
dfd6b2cde45d61cb5f470d7cc9aa02ea14a88b0c

SHA256
e62f25c348f1a803072a3fa6991c3c624982f1a0db33a835af27ec22bab577f6

SHA512
54c5c1c397c3c9a2a3737447b7e2b1b048ffcaa8478453fb25bc9c4e9c9204a58f41318b80ff806c91cd77e09bac47152bc3ea56ce7faaa088f7f20d67632bd3

Download Submit
\Users\Admin\AppData\Local\Temp\netshare-winw.exe

Filesize
793KB

MD5
937e8c3bed1eae721daf1b8aa0e2ae38

SHA1
a53fd1565b9d92986db6383830cadee69dfe8723

SHA256
69988bab12a838d28a2cca55bddb05da74ec8653ac887f8f0340a178325f2872

SHA512
277edd5c91ca22661d08d9e456f0b93666c3e0906af2fe589a68b9cdf565d51666030907f8096837ac5bcc33072d5df27bd5f543a90d24cb08db0a1f8be66a70

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF9DA.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1036-126-0x0000000000630000-0x0000000000668000-memory.dmp

Filesize
224KB

Download
memory/1036-118-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1036-116-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1036-130-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1036-131-0x0000000002090000-0x000000000209A000-memory.dmp

Filesize
40KB

Download
memory/1036-132-0x0000000004740000-0x000000000475E000-memory.dmp

Filesize
120KB

Download
memory/1036-133-0x00000000020A0000-0x00000000020AA000-memory.dmp

Filesize
40KB

Download
memory/2136-107-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2136-125-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2328-37-0x00000000034E0000-0x00000000054CA000-memory.dmp

Filesize
31.9MB

Download
memory/2328-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-128-0x00000000034E0000-0x00000000054CA000-memory.dmp

Filesize
31.9MB

Download
memory/2732-50-0x0000000140000000-0x0000000141FEA000-memory.dmp

Filesize
31.9MB

Download