nanocore | 047e8b08b1164c121b7b48efdf5d7e48f65a9af91a9312db9730f11bb9744c3b

General

Target

StigmaLMAO.exe
Size

389KB
MD5

0c1d01453936e26ceb72eecd8c558e85
SHA1

2809f2a6938c98782386a098ff2cd0b67ef144f9
SHA256

047e8b08b1164c121b7b48efdf5d7e48f65a9af91a9312db9730f11bb9744c3b
SHA512

566060bb0d25bda13c10e70f221a1a18b7e93d769c1a101b7adc4ba2403ae0bc9ab7ab27d5531e3667ab4551605cf565048cd6e713cf4fcc098e42ef224047e1
SSDEEP

12288:UI2O9fO2QTfqgL+jVEac5Ie+X/Biu9+Cp:iOcdWgSVLYi/BiG+Cp

Score

10^/10

nanocore defense_evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

192.168.1.51:54984

127.0.0.1:54984

Mutex

b7a7a6df-8b9a-4cc8-8602-03352fbf30dd

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-12-04T20:06:49.461604936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2530
max_packet_size
1.048576e+07
mutex
b7a7a6df-8b9a-4cc8-8602-03352fbf30dd
mutex_timeout
5006
prevent_system_sleep
false
primary_connection_host
192.168.1.51
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
2964	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	RtkAudUService64.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RtkAudUService64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	powershell.exe
2964	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	StigmaLMAO.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2844	RtkAudUService64.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2804	1612	StigmaLMAO.exe	30
PID 1612 wrote to memory of 2804	1612	StigmaLMAO.exe	30
PID 1612 wrote to memory of 2804	1612	StigmaLMAO.exe	30
PID 1612 wrote to memory of 2964	1612	StigmaLMAO.exe	32
PID 1612 wrote to memory of 2964	1612	StigmaLMAO.exe	32
PID 1612 wrote to memory of 2964	1612	StigmaLMAO.exe	32
PID 2696 wrote to memory of 2844	2696	taskeng.exe	35
PID 2696 wrote to memory of 2844	2696	taskeng.exe	35
PID 2696 wrote to memory of 2844	2696	taskeng.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\StigmaLMAO.exe
"C:\Users\Admin\AppData\Local\Temp\StigmaLMAO.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964

C:\Windows\system32\taskeng.exe
taskeng.exe {9121997C-09E6-498D-8121-FC266468AC94} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
  C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f84982ec88ba1be33a85f8cf7a87c0b0

SHA1
d4b1b1d5cee3fbe9c2caa9a29e24cc1cb507322f

SHA256
96d2a5dcefe3e8e70dfe1644f664d6a96e9ecd2983947f86e1478515c3f6c781

SHA512
20013a87df0f947311c73a236fb612915d938d7819e846d11732ef9f6d0526378e122ba8b66184a74661c9602432ed829f390a3189624237c0b168ff1c97589e

Download Submit
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe

Filesize
389KB

MD5
0c1d01453936e26ceb72eecd8c558e85

SHA1
2809f2a6938c98782386a098ff2cd0b67ef144f9

SHA256
047e8b08b1164c121b7b48efdf5d7e48f65a9af91a9312db9730f11bb9744c3b

SHA512
566060bb0d25bda13c10e70f221a1a18b7e93d769c1a101b7adc4ba2403ae0bc9ab7ab27d5531e3667ab4551605cf565048cd6e713cf4fcc098e42ef224047e1

Download Submit
memory/1612-0-0x000007FEF6BB3000-0x000007FEF6BB4000-memory.dmp

Filesize
4KB

Download
memory/1612-1-0x0000000000EF0000-0x0000000000F58000-memory.dmp

Filesize
416KB

Download
memory/1612-18-0x0000000000BA0000-0x0000000000C20000-memory.dmp

Filesize
512KB

Download
memory/2804-6-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2804-7-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2804-8-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2844-22-0x0000000000120000-0x0000000000188000-memory.dmp

Filesize
416KB

Download
memory/2844-23-0x0000000001F80000-0x0000000001FB8000-memory.dmp

Filesize
224KB

Download
memory/2964-14-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/2964-15-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing