nanocore | 8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733

General

Target

8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe
Size

524KB
MD5

c57570dcacafd7fefa561d7f5e9c6210
SHA1

a2bd17084085a4b46c0cd2712960a3f82892db52
SHA256

8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733
SHA512

20e02a231249fca0a9ec5b0f9900c38b6586e8915645b29b2ac973b27606fc3a285521a2195d13e7ccd86d067aecd368b9ef13984aff204814094a62cdd0dc0a
SSDEEP

12288:bhxp3lZnT9bDkCl3PX0jMCmvpKxZ86rDitP:bJlh9bDkClMjlmvpNgDiB

Score

10^/10

nanocore defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ichbin1337.ddns.net:9033

ichbincool.ddns.net:9033

Mutex

ffcb8fdb-4a29-46cd-a06a-580aecd4cd74

Attributes

activate_away_mode
false
backup_connection_host
ichbincool.ddns.net
backup_dns_server
buffer_size
65535
build_time
2016-07-15T19:36:40.912595336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
9033
default_group
Game Slaves
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ffcb8fdb-4a29-46cd-a06a-580aecd4cd74
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ichbin1337.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2156	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3044	accountgen.exe
2108	1840859179.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	accountgen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files\\DSL Manager\\dslmgr.exe"	1840859179.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1840859179.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\DSL Manager\dslmgr.exe	1840859179.exe
File opened for modification	C:\Program Files\DSL Manager\dslmgr.exe	1840859179.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2156	powershell.exe
2108	1840859179.exe
2108	1840859179.exe
2108	1840859179.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	1840859179.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2108	1840859179.exe
Token: SeDebugPrivilege	2108	1840859179.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3044	2488	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe	31
PID 2488 wrote to memory of 3044	2488	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe	31
PID 2488 wrote to memory of 3044	2488	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe	31
PID 2488 wrote to memory of 3044	2488	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe	31
PID 3044 wrote to memory of 2180	3044	accountgen.exe	32
PID 3044 wrote to memory of 2180	3044	accountgen.exe	32
PID 3044 wrote to memory of 2180	3044	accountgen.exe	32
PID 3044 wrote to memory of 2500	3044	accountgen.exe	34
PID 3044 wrote to memory of 2500	3044	accountgen.exe	34
PID 3044 wrote to memory of 2500	3044	accountgen.exe	34
PID 2500 wrote to memory of 2156	2500	cmd.exe	36
PID 2500 wrote to memory of 2156	2500	cmd.exe	36
PID 2500 wrote to memory of 2156	2500	cmd.exe	36
PID 2156 wrote to memory of 2108	2156	powershell.exe	37
PID 2156 wrote to memory of 2108	2156	powershell.exe	37
PID 2156 wrote to memory of 2108	2156	powershell.exe	37

C:\Users\Admin\AppData\Local\Temp\8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe
"C:\Users\Admin\AppData\Local\Temp\8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo.
    3⤵
    PID:2180
- - C:\Windows\system32\cmd.exe
    cmd.exe /c exec.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\1840859179\1840859179.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1840859179\1840859179.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1840859179\1840859179.exe

Filesize
202KB

MD5
9a5331d8875e92214a2fe746c71a075e

SHA1
70560ed5c4b4f6fbf857cd8bb00a013984cdaac2

SHA256
39640164c53a0f64aa0ff626af9d2d695f8a2106ebe3ec1afe464dca6c72049c

SHA512
8d1362bead0e1e7dc0b53926ae23559cd43c53ed1d701d0a3b9163137f59d4a4961c68d881c332cdda804f2f849d0dc74d60e47d6c62160850fe9e9151c7a990

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
270KB

MD5
8394b08922e0686a7dd5b48d49ab1c9b

SHA1
e9acd4adf0e8c909f92d485041dd3b4ac91c033c

SHA256
152fc3bf84fc802e58c78c5fda75a204a5244affa38b4eaffaee243414c155d7

SHA512
848a57636a0f05a1e2f9642a31616b0a1885205e7c6c10e2425c852eba9a88653656ee65130afc7d2aec237c2c3b44e1db2e72eae5e689ee43e11b828b73f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

Filesize
95B

MD5
368e0f2c003376d3bdae1c71dd85ec70

SHA1
e5fa7b58cad7f5df6e3a7c2abeec16365ae17827

SHA256
84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9

SHA512
e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe

Filesize
323KB

MD5
75c4ec9b0ab7cf09ac7e02d82502526f

SHA1
2e89d641491365af07ae3665cc73ac0a6a47f096

SHA256
ebd6560688e89e56bfab3cf28a5d0a740a31b13faae997d66510d6978e5039ec

SHA512
a3acee3d0545b0db9ce9a0a42d423b05e27087bba940e053b0f8a783c97bbe6f7364fec01129d53f1c78df5ce7581a43fb6edf98a991d2ae498a99a9585e6549

Download Submit
memory/2108-34-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2108-35-0x00000000022A0000-0x00000000022BE000-memory.dmp

Filesize
120KB

Download
memory/2108-36-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2156-18-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2156-19-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads