nanocore | 21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64

General

Target

A653D1951B3DE7E0EDE77758187763B0.exe
Size

3.0MB
MD5

a653d1951b3de7e0ede77758187763b0
SHA1

06df3427aa544488543152111f5c5cfc52d41463
SHA256

21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64
SHA512

c8e5bc1284b3349cd81bb8edb85ebd5bb01fe08eb51aad53992a22a045ffae58ea4d7649f60559c9c5adaf71a7bcef4db3359bd54ae8157d9c0f0b9f2b0130ca
SSDEEP

49152:yKcYOh1T3CVOnr9zBVPgxyJbV4cPodKiUIQ+WSqwEQU:yxfrzCVOh9tQcPotU7

Score

10^/10

nanocore defense_evasion discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ksmj.ddns.net:1337

Mutex

b73dccc0-ae28-411e-8f12-dcb30e5628a2

Attributes

activate_away_mode
true
backup_connection_host
ksmj.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-12-21T21:11:28.928783136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1337
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b73dccc0-ae28-411e-8f12-dcb30e5628a2
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ksmj.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	A653D1951B3DE7E0EDE77758187763B0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	R00tkit Blandly.exe

Executes dropped EXE 4 IoCs

pid	Process
2692	3377.exe
4228	ksmj.ddns.net.exe
4628	R00tkit Blandly.exe
5048	Blandly Rootkit.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3377.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ksmj.ddns.net.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksmj.ddns.net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2692	3377.exe
2692	3377.exe
2692	3377.exe
4228	ksmj.ddns.net.exe
4228	ksmj.ddns.net.exe
4228	ksmj.ddns.net.exe
4228	ksmj.ddns.net.exe
4228	ksmj.ddns.net.exe
4228	ksmj.ddns.net.exe
2692	3377.exe
2692	3377.exe
2692	3377.exe
4228	ksmj.ddns.net.exe
4228	ksmj.ddns.net.exe
2692	3377.exe
4228	ksmj.ddns.net.exe
2692	3377.exe
2692	3377.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2692	3377.exe
4228	ksmj.ddns.net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	3377.exe
Token: SeDebugPrivilege	4228	ksmj.ddns.net.exe
Token: SeDebugPrivilege	5048	Blandly Rootkit.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 6112 wrote to memory of 2692	6112	A653D1951B3DE7E0EDE77758187763B0.exe	90
PID 6112 wrote to memory of 2692	6112	A653D1951B3DE7E0EDE77758187763B0.exe	90
PID 6112 wrote to memory of 2692	6112	A653D1951B3DE7E0EDE77758187763B0.exe	90
PID 6112 wrote to memory of 4228	6112	A653D1951B3DE7E0EDE77758187763B0.exe	91
PID 6112 wrote to memory of 4228	6112	A653D1951B3DE7E0EDE77758187763B0.exe	91
PID 6112 wrote to memory of 4228	6112	A653D1951B3DE7E0EDE77758187763B0.exe	91
PID 6112 wrote to memory of 4628	6112	A653D1951B3DE7E0EDE77758187763B0.exe	92
PID 6112 wrote to memory of 4628	6112	A653D1951B3DE7E0EDE77758187763B0.exe	92
PID 4628 wrote to memory of 5048	4628	R00tkit Blandly.exe	95
PID 4628 wrote to memory of 5048	4628	R00tkit Blandly.exe	95

C:\Users\Admin\AppData\Local\Temp\A653D1951B3DE7E0EDE77758187763B0.exe
"C:\Users\Admin\AppData\Local\Temp\A653D1951B3DE7E0EDE77758187763B0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6112
- C:\Users\Admin\AppData\Local\Temp\3377.exe
  "C:\Users\Admin\AppData\Local\Temp\3377.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe
  "C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe
  "C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe
    "C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3377.exe

Filesize
202KB

MD5
0e013a4db9f8352623a4eaa401d1911d

SHA1
67f2a12f5885ecd77529e21754f6597a2681800d

SHA256
1f3efa5e76eefce96212cbb8b77df3aae303ec5d6867a5c70d6d546836149584

SHA512
9c265ba915a79f95fa1d2cd85dec28308fc09a3fac4d5b8a35ecc6aebc22fe573343451fd822a5d6b4e7fc8a57fd60a7df26134f9fef83e128add574e42c0337

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe

Filesize
3.0MB

MD5
302e8cd3926e071313c59cb2ad1d1d79

SHA1
53e21e236d428fcd390b54d4803ac43fdafe6b6c

SHA256
984360f867c1891f7ea6293ac2f72907321d1bcc4e68184327dad522744c97a5

SHA512
e95d3a536eeac0834b249511100d7e354c3994840882a9b4e77d6f93b8d7750a09a85f74fa2b9b71304c5be66a559df2f0089c82f3d8f78c658a385379d09c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe

Filesize
2.7MB

MD5
b66e88ba098da4d287b2dd99f69d14ef

SHA1
7bc51b7d8fb33372b162ec8cb7da3d9283ddb7d4

SHA256
105fee6fb5d6119c586844d5b7ceaa27b86c8ace1b8c2c30eaea51eb55c7b115

SHA512
a08c1cb60dfba2a4a601bcb5bf3f84e08aa98aa5eab1de8aace423f52f38ae1ed7ae610b60d6ad7dbe1dd9329e022c08f91f84fa62fed8acf84c437c0883cee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe

Filesize
202KB

MD5
e2557f03a5d4de545313ba77de25139e

SHA1
74e271b02f314f8e1544d51ba3095c33b6015930

SHA256
ec9bba03d8dabd1ccaf0decd0bbe6fa6b8f23b8b81d67bc96b644f8751409ac6

SHA512
451eb59e76ec322c278f99e83af335d419ffc43d0485b4884b0ac519b5759fcf7a6770439894dd240ccc32678842df3b457aa74a82d0079a3e84ff52479d6929

Download Submit
C:\Users\Admin\AppData\Roaming\CB4CB3AF-08E1-460E-BFAE-F9DD6E47A0B1\run.dat

Filesize
8B

MD5
cc8b0ce254d1f5d273cc475cecbba679

SHA1
8b1cb749d11a5c9ed77485913134699b478b2abd

SHA256
d4452eba99bd640a8df0de19ab488ab71ded4784417a32600de2c2bbe726f367

SHA512
7be6c036f429ce9cf421e9471cc701edd8d77ca4de22764794f4244512f83e1e4866fd2da15045030cec4492c85a95d579f9b9976796e8c90a6c239ed599baed

Download Submit
memory/2692-35-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2692-54-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/4228-34-0x00000000017F0000-0x0000000001800000-memory.dmp

Filesize
64KB

Download
memory/4228-53-0x00000000017F0000-0x0000000001800000-memory.dmp

Filesize
64KB

Download
memory/4628-52-0x00007FFD4B4D0000-0x00007FFD4BF91000-memory.dmp

Filesize
10.8MB

Download
memory/4628-56-0x00007FFD4B4D0000-0x00007FFD4BF91000-memory.dmp

Filesize
10.8MB

Download
memory/4628-33-0x0000000000B40000-0x0000000000DF4000-memory.dmp

Filesize
2.7MB

Download
memory/4628-32-0x00007FFD4B4D0000-0x00007FFD4BF91000-memory.dmp

Filesize
10.8MB

Download
memory/5048-49-0x000001EF47620000-0x000001EF47926000-memory.dmp

Filesize
3.0MB

Download
memory/5048-50-0x000001EF64150000-0x000001EF64200000-memory.dmp

Filesize
704KB

Download
memory/6112-0-0x00007FFD4B4D3000-0x00007FFD4B4D5000-memory.dmp

Filesize
8KB

Download
memory/6112-1-0x00000000007A0000-0x0000000000AA4000-memory.dmp

Filesize
3.0MB

Download
memory/6112-31-0x00007FFD4B4D0000-0x00007FFD4BF91000-memory.dmp

Filesize
10.8MB

Download
memory/6112-10-0x00007FFD4B4D0000-0x00007FFD4BF91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads