Overview

overview

10

Static

static

10

NanoCore.exe

windows7-x64

10

NanoCore.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NanoCore.exe

  • Size

    1.1MB

  • MD5

    e4aeb7b31d677a5a9a58a4762fab1321

  • SHA1

    a5e7279b6d59236296031ff87976e33fbd8cf34d

  • SHA256

    1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915

  • SHA512

    964dda5030a54493aeebb8b478a76ccd98456184224332e66d5b693d311c83da11c360355c8d73e539ebc7b6ed0d0d2e78f65eef0f75d48c64a63cf10411e1fa

  • SSDEEP

    24576:sdZ1xuVVjfFoynPaVBUR8f+kN10EBIQXiClSI5tIkjh:snQDgok30Edb

Score
10/10
darkcometnanocoreidmandiscoveryevasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

IDMAN

C2

arrivals.ddns.net:2323

Mutex

DC_MUTEX-391X2ZJ

Attributes
  • InstallPath

    MSDCSC\IDMAN.exe

  • gencode

    CUWbhGwmWBMb

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    IDMAN

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
    "C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Users\Admin\AppData\Roaming\CRACKED.EXE
      "C:\Users\Admin\AppData\Roaming\CRACKED.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe
        "C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe"
        3⤵
        • Modifies firewall policy service
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3140
    • C:\Users\Admin\AppData\Roaming\NANOCORE.EXE
      "C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 1104
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\CRACKED.EXE
    Filesize

    659KB

    MD5

    94c5b3199414b8fca9f134724acdd88e

    SHA1

    6c95291364476fc10c4e343120225dae72d11233

    SHA256

    dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536

    SHA512

    5fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NANOCORE.EXE
    Filesize

    403KB

    MD5

    d902fb22b92a7455eeac95712e9c2179

    SHA1

    8e4e0d0965055517c1ddef8442cf74c4f3d700af

    SHA256

    58f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f

    SHA512

    d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269

    Download Submit

  • memory/3140-40-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4448-36-0x00000000016B0000-0x00000000016C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-37-0x000000001BD60000-0x000000001BE06000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4448-38-0x000000001C2E0000-0x000000001C7AE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4448-39-0x000000001C8A0000-0x000000001C93C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4448-41-0x0000000001630000-0x0000000001638000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4448-42-0x000000001CA00000-0x000000001CA4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5032-22-0x00000000022D0000-0x00000000022D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5032-43-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-51-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-57-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-52-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-53-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-54-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-55-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-56-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-50-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-58-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-59-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-60-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-61-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-62-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5112-63-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download