nanocore | fef7c5f3c06740cd4c3613a77acb03c0bfd60aaa4c27995f0ae9862c45ada8ba | Triage

Resubmissions

13-02-2025 03:26

250213-dzgx7sslhm 10

13-02-2025 03:15

250213-dr2yeasphs 10

Sharing

General

Target

NanoCore.zip
Size

18.1MB
Sample

250213-dr2yeasphs
MD5

91f4a9ef46bd12a099c59ed2b5a587f7
SHA1

6764d1e0b5e97279f94d558705089d29048a26ff
SHA256

fef7c5f3c06740cd4c3613a77acb03c0bfd60aaa4c27995f0ae9862c45ada8ba
SHA512

dca240c0aa7cb760cf3341cb46f3a5346934e96031fff724e1a95d4aeae6fc4f609dffb517dc9073549cf9d807867dbc94624c833126efe47e07a2490427391c
SSDEEP

393216:vfVFdRQrMvORPWz7z18JXUfXZRzX6Xwat7ojUhCRh4w2j0z7:XVF/dgPqzaJqN6XwuoIhwsG

Score

10^/10

nanocore discovery

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

127.0.0.1:54984

Mutex

0a58aef9-430a-40b3-bc54-321556a3f865

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-02-15T14:37:43.789028636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0a58aef9-430a-40b3-bc54-321556a3f865
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  NanoCore.zip
- Size
  
  18.1MB
- MD5
  
  91f4a9ef46bd12a099c59ed2b5a587f7
- SHA1
  
  6764d1e0b5e97279f94d558705089d29048a26ff
- SHA256
  
  fef7c5f3c06740cd4c3613a77acb03c0bfd60aaa4c27995f0ae9862c45ada8ba
- SHA512
  
  dca240c0aa7cb760cf3341cb46f3a5346934e96031fff724e1a95d4aeae6fc4f609dffb517dc9073549cf9d807867dbc94624c833126efe47e07a2490427391c
- SSDEEP
  
  393216:vfVFdRQrMvORPWz7z18JXUfXZRzX6Xwat7ojUhCRh4w2j0z7:XVF/dgPqzaJqN6XwuoIhwsG
Score

8^/10

discovery
- Downloads MZ/PE file
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1