nanocore | cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c

General

Target

cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe
Size

524KB
MD5

eb794fa258e70ce308b380997ceed62c
SHA1

7677a9d15d7dab516b3769a9777d7e7c21912fd9
SHA256

cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c
SHA512

b653b53e2a3af8ef8a6888abd0ad7729c056874af5f10ce38099bc33eb69ea31029fe4f04ccfaea5365667490f3a953228a159b6ef681251ff17057ca0bec673
SSDEEP

12288:bhxp3lZnT9bDkCl3PX0jMCmvpKxZ86rDitH:bJlh9bDkClMjlmvpNgDiJ

Score

10^/10

nanocore defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ichbin1337.ddns.net:9033

ichbincool.ddns.net:9033

Mutex

ffcb8fdb-4a29-46cd-a06a-580aecd4cd74

Attributes

activate_away_mode
false
backup_connection_host
ichbincool.ddns.net
backup_dns_server
buffer_size
65535
build_time
2016-07-15T19:36:40.912595336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
9033
default_group
Game Slaves
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ffcb8fdb-4a29-46cd-a06a-580aecd4cd74
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ichbin1337.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2572	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2588	accountgen.exe
2904	2140527608.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	accountgen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files\\DSL Manager\\dslmgr.exe"	2140527608.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2140527608.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\DSL Manager\dslmgr.exe	2140527608.exe
File opened for modification	C:\Program Files\DSL Manager\dslmgr.exe	2140527608.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2572	powershell.exe
2904	2140527608.exe
2904	2140527608.exe
2904	2140527608.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	2140527608.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2904	2140527608.exe
Token: SeDebugPrivilege	2904	2140527608.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2588	1720	cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe	31
PID 1720 wrote to memory of 2588	1720	cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe	31
PID 1720 wrote to memory of 2588	1720	cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe	31
PID 1720 wrote to memory of 2588	1720	cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe	31
PID 2588 wrote to memory of 580	2588	accountgen.exe	32
PID 2588 wrote to memory of 580	2588	accountgen.exe	32
PID 2588 wrote to memory of 580	2588	accountgen.exe	32
PID 2588 wrote to memory of 2964	2588	accountgen.exe	34
PID 2588 wrote to memory of 2964	2588	accountgen.exe	34
PID 2588 wrote to memory of 2964	2588	accountgen.exe	34
PID 2964 wrote to memory of 2572	2964	cmd.exe	36
PID 2964 wrote to memory of 2572	2964	cmd.exe	36
PID 2964 wrote to memory of 2572	2964	cmd.exe	36
PID 2572 wrote to memory of 2904	2572	powershell.exe	37
PID 2572 wrote to memory of 2904	2572	powershell.exe	37
PID 2572 wrote to memory of 2904	2572	powershell.exe	37

C:\Users\Admin\AppData\Local\Temp\cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe
"C:\Users\Admin\AppData\Local\Temp\cf56c9f957b7a6a680289502433ee407201a9799214f78014e1d5ebc3d719a4c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo.
    3⤵
    PID:580
- - C:\Windows\system32\cmd.exe
    cmd.exe /c exec.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\2140527608\2140527608.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2140527608\2140527608.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2140527608\2140527608.exe

Filesize
202KB

MD5
9a5331d8875e92214a2fe746c71a075e

SHA1
70560ed5c4b4f6fbf857cd8bb00a013984cdaac2

SHA256
39640164c53a0f64aa0ff626af9d2d695f8a2106ebe3ec1afe464dca6c72049c

SHA512
8d1362bead0e1e7dc0b53926ae23559cd43c53ed1d701d0a3b9163137f59d4a4961c68d881c332cdda804f2f849d0dc74d60e47d6c62160850fe9e9151c7a990

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
270KB

MD5
8394b08922e0686a7dd5b48d49ab1c9b

SHA1
e9acd4adf0e8c909f92d485041dd3b4ac91c033c

SHA256
152fc3bf84fc802e58c78c5fda75a204a5244affa38b4eaffaee243414c155d7

SHA512
848a57636a0f05a1e2f9642a31616b0a1885205e7c6c10e2425c852eba9a88653656ee65130afc7d2aec237c2c3b44e1db2e72eae5e689ee43e11b828b73f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

Filesize
95B

MD5
368e0f2c003376d3bdae1c71dd85ec70

SHA1
e5fa7b58cad7f5df6e3a7c2abeec16365ae17827

SHA256
84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9

SHA512
e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\accountgen.exe

Filesize
323KB

MD5
75c4ec9b0ab7cf09ac7e02d82502526f

SHA1
2e89d641491365af07ae3665cc73ac0a6a47f096

SHA256
ebd6560688e89e56bfab3cf28a5d0a740a31b13faae997d66510d6978e5039ec

SHA512
a3acee3d0545b0db9ce9a0a42d423b05e27087bba940e053b0f8a783c97bbe6f7364fec01129d53f1c78df5ce7581a43fb6edf98a991d2ae498a99a9585e6549

Download Submit
memory/2572-18-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2572-19-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2904-34-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/2904-35-0x0000000000E20000-0x0000000000E3E000-memory.dmp

Filesize
120KB

Download
memory/2904-36-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads