nanocore | 047e8b08b1164c121b7b48efdf5d7e48f65a9af91a9312db9730f11bb9744c3b

General

Target

StigmaLMAO.exe
Size

389KB
MD5

0c1d01453936e26ceb72eecd8c558e85
SHA1

2809f2a6938c98782386a098ff2cd0b67ef144f9
SHA256

047e8b08b1164c121b7b48efdf5d7e48f65a9af91a9312db9730f11bb9744c3b
SHA512

566060bb0d25bda13c10e70f221a1a18b7e93d769c1a101b7adc4ba2403ae0bc9ab7ab27d5531e3667ab4551605cf565048cd6e713cf4fcc098e42ef224047e1
SSDEEP

12288:UI2O9fO2QTfqgL+jVEac5Ie+X/Biu9+Cp:iOcdWgSVLYi/BiG+Cp

Score

10^/10

nanocore defense_evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

192.168.1.51:54984

127.0.0.1:54984

Mutex

b7a7a6df-8b9a-4cc8-8602-03352fbf30dd

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-12-04T20:06:49.461604936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2530
max_packet_size
1.048576e+07
mutex
b7a7a6df-8b9a-4cc8-8602-03352fbf30dd
mutex_timeout
5006
prevent_system_sleep
false
primary_connection_host
192.168.1.51
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
2640	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1860	RtkAudUService64.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RtkAudUService64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2640	powershell.exe
1028	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	StigmaLMAO.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1860	RtkAudUService64.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2640	2072	StigmaLMAO.exe	30
PID 2072 wrote to memory of 2640	2072	StigmaLMAO.exe	30
PID 2072 wrote to memory of 2640	2072	StigmaLMAO.exe	30
PID 2072 wrote to memory of 1028	2072	StigmaLMAO.exe	33
PID 2072 wrote to memory of 1028	2072	StigmaLMAO.exe	33
PID 2072 wrote to memory of 1028	2072	StigmaLMAO.exe	33
PID 1984 wrote to memory of 1860	1984	taskeng.exe	36
PID 1984 wrote to memory of 1860	1984	taskeng.exe	36
PID 1984 wrote to memory of 1860	1984	taskeng.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\StigmaLMAO.exe
"C:\Users\Admin\AppData\Local\Temp\StigmaLMAO.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028

C:\Windows\system32\taskeng.exe
taskeng.exe {C64BD4E7-449A-4C5B-A26E-5E179C648046} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
  C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8a08dfab2d4145443aad1278e3dde711

SHA1
7ba945b5bad0d7013ad4ba5d95f70b2f91bca62e

SHA256
f1a87e16671c6c285dc5333f874b7513ea820eaa523f905d04d30cacbba9a52f

SHA512
1b1413c3fe6e6edadfce9dd85ac16fb0995733d716775fe760ad3e7a4905544a2fc8ed5c78ab3f895bd007fbb01a9e56d6ef20b0c763e54d140d936ee937d0de

Download Submit
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe

Filesize
389KB

MD5
0c1d01453936e26ceb72eecd8c558e85

SHA1
2809f2a6938c98782386a098ff2cd0b67ef144f9

SHA256
047e8b08b1164c121b7b48efdf5d7e48f65a9af91a9312db9730f11bb9744c3b

SHA512
566060bb0d25bda13c10e70f221a1a18b7e93d769c1a101b7adc4ba2403ae0bc9ab7ab27d5531e3667ab4551605cf565048cd6e713cf4fcc098e42ef224047e1

Download Submit
memory/1028-14-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1028-15-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/1860-22-0x00000000013D0000-0x0000000001438000-memory.dmp

Filesize
416KB

Download
memory/1860-23-0x0000000000B70000-0x0000000000BA8000-memory.dmp

Filesize
224KB

Download
memory/2072-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2072-1-0x0000000000D20000-0x0000000000D88000-memory.dmp

Filesize
416KB

Download
memory/2072-18-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/2640-6-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2640-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2640-8-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing