nanocore | 8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733

General

Target

8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe
Size

524KB
MD5

c57570dcacafd7fefa561d7f5e9c6210
SHA1

a2bd17084085a4b46c0cd2712960a3f82892db52
SHA256

8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733
SHA512

20e02a231249fca0a9ec5b0f9900c38b6586e8915645b29b2ac973b27606fc3a285521a2195d13e7ccd86d067aecd368b9ef13984aff204814094a62cdd0dc0a
SSDEEP

12288:bhxp3lZnT9bDkCl3PX0jMCmvpKxZ86rDitP:bJlh9bDkClMjlmvpNgDiB

Score

10^/10

nanocore defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ichbin1337.ddns.net:9033

ichbincool.ddns.net:9033

Mutex

ffcb8fdb-4a29-46cd-a06a-580aecd4cd74

Attributes

activate_away_mode
false
backup_connection_host
ichbincool.ddns.net
backup_dns_server
buffer_size
65535
build_time
2016-07-15T19:36:40.912595336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
9033
default_group
Game Slaves
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ffcb8fdb-4a29-46cd-a06a-580aecd4cd74
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ichbin1337.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
384	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	accountgen.exe
4980	1020263847.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	accountgen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNS Manager = "C:\\Program Files\\DNS Manager\\dnsmgr.exe"	1020263847.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1020263847.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\DNS Manager\dnsmgr.exe	1020263847.exe
File opened for modification	C:\Program Files\DNS Manager\dnsmgr.exe	1020263847.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
384	powershell.exe
384	powershell.exe
4980	1020263847.exe
4980	1020263847.exe
4980	1020263847.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4980	1020263847.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	4980	1020263847.exe
Token: SeDebugPrivilege	4980	1020263847.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2488	1540	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe	86
PID 1540 wrote to memory of 2488	1540	8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe	86
PID 2488 wrote to memory of 3212	2488	accountgen.exe	89
PID 2488 wrote to memory of 3212	2488	accountgen.exe	89
PID 2488 wrote to memory of 3112	2488	accountgen.exe	91
PID 2488 wrote to memory of 3112	2488	accountgen.exe	91
PID 3112 wrote to memory of 384	3112	cmd.exe	93
PID 3112 wrote to memory of 384	3112	cmd.exe	93
PID 384 wrote to memory of 4980	384	powershell.exe	94
PID 384 wrote to memory of 4980	384	powershell.exe	94

C:\Users\Admin\AppData\Local\Temp\8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe
"C:\Users\Admin\AppData\Local\Temp\8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c echo.
    3⤵
    PID:3212
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c exec.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Users\Admin\AppData\Local\Temp\1020263847\1020263847.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1020263847\1020263847.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1020263847\1020263847.exe

Filesize
202KB

MD5
9a5331d8875e92214a2fe746c71a075e

SHA1
70560ed5c4b4f6fbf857cd8bb00a013984cdaac2

SHA256
39640164c53a0f64aa0ff626af9d2d695f8a2106ebe3ec1afe464dca6c72049c

SHA512
8d1362bead0e1e7dc0b53926ae23559cd43c53ed1d701d0a3b9163137f59d4a4961c68d881c332cdda804f2f849d0dc74d60e47d6c62160850fe9e9151c7a990

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
270KB

MD5
8394b08922e0686a7dd5b48d49ab1c9b

SHA1
e9acd4adf0e8c909f92d485041dd3b4ac91c033c

SHA256
152fc3bf84fc802e58c78c5fda75a204a5244affa38b4eaffaee243414c155d7

SHA512
848a57636a0f05a1e2f9642a31616b0a1885205e7c6c10e2425c852eba9a88653656ee65130afc7d2aec237c2c3b44e1db2e72eae5e689ee43e11b828b73f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

Filesize
95B

MD5
368e0f2c003376d3bdae1c71dd85ec70

SHA1
e5fa7b58cad7f5df6e3a7c2abeec16365ae17827

SHA256
84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9

SHA512
e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe

Filesize
323KB

MD5
75c4ec9b0ab7cf09ac7e02d82502526f

SHA1
2e89d641491365af07ae3665cc73ac0a6a47f096

SHA256
ebd6560688e89e56bfab3cf28a5d0a740a31b13faae997d66510d6978e5039ec

SHA512
a3acee3d0545b0db9ce9a0a42d423b05e27087bba940e053b0f8a783c97bbe6f7364fec01129d53f1c78df5ce7581a43fb6edf98a991d2ae498a99a9585e6549

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vu3xbytu.314.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/384-30-0x00007FFF254E0000-0x00007FFF25FA1000-memory.dmp

Filesize
10.8MB

Download
memory/384-20-0x000002BA5B830000-0x000002BA5B852000-memory.dmp

Filesize
136KB

Download
memory/384-32-0x00007FFF254E0000-0x00007FFF25FA1000-memory.dmp

Filesize
10.8MB

Download
memory/384-19-0x00007FFF254E3000-0x00007FFF254E5000-memory.dmp

Filesize
8KB

Download
memory/384-41-0x00007FFF254E0000-0x00007FFF25FA1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-42-0x000000001BE50000-0x000000001C31E000-memory.dmp

Filesize
4.8MB

Download
memory/4980-45-0x000000001B850000-0x000000001B8EC000-memory.dmp

Filesize
624KB

Download
memory/4980-46-0x000000001C4D0000-0x000000001C576000-memory.dmp

Filesize
664KB

Download
memory/4980-47-0x00000000014C0000-0x00000000014C8000-memory.dmp

Filesize
32KB

Download
memory/4980-50-0x000000001C9F0000-0x000000001C9FA000-memory.dmp

Filesize
40KB

Download
memory/4980-51-0x000000001C670000-0x000000001C68E000-memory.dmp

Filesize
120KB

Download
memory/4980-52-0x000000001CC10000-0x000000001CC1A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads