nanocore | 21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64

General

Target

A653D1951B3DE7E0EDE77758187763B0.exe
Size

3.0MB
MD5

a653d1951b3de7e0ede77758187763b0
SHA1

06df3427aa544488543152111f5c5cfc52d41463
SHA256

21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64
SHA512

c8e5bc1284b3349cd81bb8edb85ebd5bb01fe08eb51aad53992a22a045ffae58ea4d7649f60559c9c5adaf71a7bcef4db3359bd54ae8157d9c0f0b9f2b0130ca
SSDEEP

49152:yKcYOh1T3CVOnr9zBVPgxyJbV4cPodKiUIQ+WSqwEQU:yxfrzCVOh9tQcPotU7

Score

10^/10

nanocore defense_evasion discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ksmj.ddns.net:5552

ksmj.ddns.net:1337

Mutex

f761c1a4-b3fc-47bd-8557-06047cdf0973

Attributes

activate_away_mode
true
backup_connection_host
ksmj.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-12-21T22:16:55.253588936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5552
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f761c1a4-b3fc-47bd-8557-06047cdf0973
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 5 IoCs

pid	Process
2464	3377.exe
1988	ksmj.ddns.net.exe
2244	R00tkit Blandly.exe
2844	Blandly Rootkit.exe
1204	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2244	R00tkit Blandly.exe
1204	Process not Found

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ksmj.ddns.net.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3377.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksmj.ddns.net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1988	ksmj.ddns.net.exe
2464	3377.exe
1988	ksmj.ddns.net.exe
2464	3377.exe
1988	ksmj.ddns.net.exe
2464	3377.exe
1988	ksmj.ddns.net.exe
1988	ksmj.ddns.net.exe
1988	ksmj.ddns.net.exe
2464	3377.exe
2464	3377.exe
2464	3377.exe
2464	3377.exe
2464	3377.exe
2464	3377.exe
1988	ksmj.ddns.net.exe
1988	ksmj.ddns.net.exe
1988	ksmj.ddns.net.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1988	ksmj.ddns.net.exe
2464	3377.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	ksmj.ddns.net.exe
Token: SeDebugPrivilege	2464	3377.exe
Token: SeDebugPrivilege	2844	Blandly Rootkit.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2464	2016	A653D1951B3DE7E0EDE77758187763B0.exe	31
PID 2016 wrote to memory of 2464	2016	A653D1951B3DE7E0EDE77758187763B0.exe	31
PID 2016 wrote to memory of 2464	2016	A653D1951B3DE7E0EDE77758187763B0.exe	31
PID 2016 wrote to memory of 2464	2016	A653D1951B3DE7E0EDE77758187763B0.exe	31
PID 2016 wrote to memory of 1988	2016	A653D1951B3DE7E0EDE77758187763B0.exe	32
PID 2016 wrote to memory of 1988	2016	A653D1951B3DE7E0EDE77758187763B0.exe	32
PID 2016 wrote to memory of 1988	2016	A653D1951B3DE7E0EDE77758187763B0.exe	32
PID 2016 wrote to memory of 1988	2016	A653D1951B3DE7E0EDE77758187763B0.exe	32
PID 2016 wrote to memory of 2244	2016	A653D1951B3DE7E0EDE77758187763B0.exe	33
PID 2016 wrote to memory of 2244	2016	A653D1951B3DE7E0EDE77758187763B0.exe	33
PID 2016 wrote to memory of 2244	2016	A653D1951B3DE7E0EDE77758187763B0.exe	33
PID 2244 wrote to memory of 2844	2244	R00tkit Blandly.exe	34
PID 2244 wrote to memory of 2844	2244	R00tkit Blandly.exe	34
PID 2244 wrote to memory of 2844	2244	R00tkit Blandly.exe	34

C:\Users\Admin\AppData\Local\Temp\A653D1951B3DE7E0EDE77758187763B0.exe
"C:\Users\Admin\AppData\Local\Temp\A653D1951B3DE7E0EDE77758187763B0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\3377.exe
  "C:\Users\Admin\AppData\Local\Temp\3377.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe
  "C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe
  "C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe
    "C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3377.exe

Filesize
202KB

MD5
0e013a4db9f8352623a4eaa401d1911d

SHA1
67f2a12f5885ecd77529e21754f6597a2681800d

SHA256
1f3efa5e76eefce96212cbb8b77df3aae303ec5d6867a5c70d6d546836149584

SHA512
9c265ba915a79f95fa1d2cd85dec28308fc09a3fac4d5b8a35ecc6aebc22fe573343451fd822a5d6b4e7fc8a57fd60a7df26134f9fef83e128add574e42c0337

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe

Filesize
3.0MB

MD5
302e8cd3926e071313c59cb2ad1d1d79

SHA1
53e21e236d428fcd390b54d4803ac43fdafe6b6c

SHA256
984360f867c1891f7ea6293ac2f72907321d1bcc4e68184327dad522744c97a5

SHA512
e95d3a536eeac0834b249511100d7e354c3994840882a9b4e77d6f93b8d7750a09a85f74fa2b9b71304c5be66a559df2f0089c82f3d8f78c658a385379d09c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe

Filesize
2.7MB

MD5
b66e88ba098da4d287b2dd99f69d14ef

SHA1
7bc51b7d8fb33372b162ec8cb7da3d9283ddb7d4

SHA256
105fee6fb5d6119c586844d5b7ceaa27b86c8ace1b8c2c30eaea51eb55c7b115

SHA512
a08c1cb60dfba2a4a601bcb5bf3f84e08aa98aa5eab1de8aace423f52f38ae1ed7ae610b60d6ad7dbe1dd9329e022c08f91f84fa62fed8acf84c437c0883cee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe

Filesize
202KB

MD5
e2557f03a5d4de545313ba77de25139e

SHA1
74e271b02f314f8e1544d51ba3095c33b6015930

SHA256
ec9bba03d8dabd1ccaf0decd0bbe6fa6b8f23b8b81d67bc96b644f8751409ac6

SHA512
451eb59e76ec322c278f99e83af335d419ffc43d0485b4884b0ac519b5759fcf7a6770439894dd240ccc32678842df3b457aa74a82d0079a3e84ff52479d6929

Download Submit
C:\Users\Admin\AppData\Roaming\38B42D9B-3E83-45F4-8789-A30BE34574B0\run.dat

Filesize
8B

MD5
c38062b023b8f0154ed60e8a1f5613c4

SHA1
38618d4f190a219ebd40ec6551fe77e8d90cf75e

SHA256
7dd3575d2d098359bbe2e5989f88256a8986464630720d403eacb92a58d1d877

SHA512
20f2b7a91e79ce4a4aa8502a1ae7810cd93073921ff38527a98d73f4e759486a9e94ce7743a8469c57d122e45700773cc43c624ae1dd462f956c8939487724b1

Download Submit
memory/1988-21-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/1988-29-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-47-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-46-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-31-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-1-0x0000000000C30000-0x0000000000F34000-memory.dmp

Filesize
3.0MB

Download
memory/2016-10-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2016-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2016-26-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-25-0x0000000000AA0000-0x0000000000D54000-memory.dmp

Filesize
2.7MB

Download
memory/2464-28-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-27-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-30-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-45-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-41-0x0000000000A90000-0x0000000000D96000-memory.dmp

Filesize
3.0MB

Download
memory/2844-42-0x000000001C190000-0x000000001C240000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing