nanocore | 21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64

General

Target

21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe
Size

3.0MB
MD5

a653d1951b3de7e0ede77758187763b0
SHA1

06df3427aa544488543152111f5c5cfc52d41463
SHA256

21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64
SHA512

c8e5bc1284b3349cd81bb8edb85ebd5bb01fe08eb51aad53992a22a045ffae58ea4d7649f60559c9c5adaf71a7bcef4db3359bd54ae8157d9c0f0b9f2b0130ca
SSDEEP

49152:yKcYOh1T3CVOnr9zBVPgxyJbV4cPodKiUIQ+WSqwEQU:yxfrzCVOh9tQcPotU7

Score

10^/10

nanocore defense_evasion discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ksmj.ddns.net:1337

Mutex

b73dccc0-ae28-411e-8f12-dcb30e5628a2

Attributes

activate_away_mode
true
backup_connection_host
ksmj.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-12-21T21:11:28.928783136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1337
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b73dccc0-ae28-411e-8f12-dcb30e5628a2
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ksmj.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	R00tkit Blandly.exe

Executes dropped EXE 4 IoCs

pid	Process
2400	3377.exe
1788	ksmj.ddns.net.exe
4872	R00tkit Blandly.exe
1820	Blandly Rootkit.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3377.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ksmj.ddns.net.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
32	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksmj.ddns.net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3377.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2400	3377.exe
2400	3377.exe
2400	3377.exe
1788	ksmj.ddns.net.exe
1788	ksmj.ddns.net.exe
1788	ksmj.ddns.net.exe
1788	ksmj.ddns.net.exe
1788	ksmj.ddns.net.exe
1788	ksmj.ddns.net.exe
2400	3377.exe
2400	3377.exe
2400	3377.exe
1788	ksmj.ddns.net.exe
1788	ksmj.ddns.net.exe
1788	ksmj.ddns.net.exe
2400	3377.exe
2400	3377.exe
2400	3377.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2400	3377.exe
1788	ksmj.ddns.net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	3377.exe
Token: SeDebugPrivilege	1788	ksmj.ddns.net.exe
Token: SeDebugPrivilege	1820	Blandly Rootkit.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2400	2360	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe	90
PID 2360 wrote to memory of 2400	2360	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe	90
PID 2360 wrote to memory of 2400	2360	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe	90
PID 2360 wrote to memory of 1788	2360	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe	92
PID 2360 wrote to memory of 1788	2360	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe	92
PID 2360 wrote to memory of 1788	2360	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe	92
PID 2360 wrote to memory of 4872	2360	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe	93
PID 2360 wrote to memory of 4872	2360	21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe	93
PID 4872 wrote to memory of 1820	4872	R00tkit Blandly.exe	98
PID 4872 wrote to memory of 1820	4872	R00tkit Blandly.exe	98

C:\Users\Admin\AppData\Local\Temp\21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe
"C:\Users\Admin\AppData\Local\Temp\21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\3377.exe
  "C:\Users\Admin\AppData\Local\Temp\3377.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe
  "C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe
  "C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe
    "C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3377.exe

Filesize
202KB

MD5
0e013a4db9f8352623a4eaa401d1911d

SHA1
67f2a12f5885ecd77529e21754f6597a2681800d

SHA256
1f3efa5e76eefce96212cbb8b77df3aae303ec5d6867a5c70d6d546836149584

SHA512
9c265ba915a79f95fa1d2cd85dec28308fc09a3fac4d5b8a35ecc6aebc22fe573343451fd822a5d6b4e7fc8a57fd60a7df26134f9fef83e128add574e42c0337

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blandly Rootkit.exe

Filesize
3.0MB

MD5
302e8cd3926e071313c59cb2ad1d1d79

SHA1
53e21e236d428fcd390b54d4803ac43fdafe6b6c

SHA256
984360f867c1891f7ea6293ac2f72907321d1bcc4e68184327dad522744c97a5

SHA512
e95d3a536eeac0834b249511100d7e354c3994840882a9b4e77d6f93b8d7750a09a85f74fa2b9b71304c5be66a559df2f0089c82f3d8f78c658a385379d09c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\R00tkit Blandly.exe

Filesize
2.7MB

MD5
b66e88ba098da4d287b2dd99f69d14ef

SHA1
7bc51b7d8fb33372b162ec8cb7da3d9283ddb7d4

SHA256
105fee6fb5d6119c586844d5b7ceaa27b86c8ace1b8c2c30eaea51eb55c7b115

SHA512
a08c1cb60dfba2a4a601bcb5bf3f84e08aa98aa5eab1de8aace423f52f38ae1ed7ae610b60d6ad7dbe1dd9329e022c08f91f84fa62fed8acf84c437c0883cee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksmj.ddns.net.exe

Filesize
202KB

MD5
e2557f03a5d4de545313ba77de25139e

SHA1
74e271b02f314f8e1544d51ba3095c33b6015930

SHA256
ec9bba03d8dabd1ccaf0decd0bbe6fa6b8f23b8b81d67bc96b644f8751409ac6

SHA512
451eb59e76ec322c278f99e83af335d419ffc43d0485b4884b0ac519b5759fcf7a6770439894dd240ccc32678842df3b457aa74a82d0079a3e84ff52479d6929

Download Submit
C:\Users\Admin\AppData\Roaming\36B1FE7C-A761-496A-8112-D9EB33B24287\run.dat

Filesize
8B

MD5
9c1387194ad957884aa49c6e74fecbcb

SHA1
839ed7ad1c3d86706ec5fd69e6123a5ee0e09b39

SHA256
9575e5588b087c44126e8c8105f13563fb7dfd1b08e249d2fcf83c5cf51987ed

SHA512
53be5ba5194750604a56b3b3ae1948c0b174a80e314ab29af2b8c036a52f99a96fb2e8e713581bf6853c786bd5026d81e7aef69aeceaf9376b27f3fbff606cc7

Download Submit
memory/1788-60-0x0000000074E02000-0x0000000074E04000-memory.dmp

Filesize
8KB

Download
memory/1788-31-0x0000000074E02000-0x0000000074E03000-memory.dmp

Filesize
4KB

Download
memory/1788-59-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/1788-37-0x0000000074E02000-0x0000000074E04000-memory.dmp

Filesize
8KB

Download
memory/1788-36-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/1788-56-0x0000000074E02000-0x0000000074E03000-memory.dmp

Filesize
4KB

Download
memory/1820-53-0x00000250803A0000-0x0000025080450000-memory.dmp

Filesize
704KB

Download
memory/1820-52-0x00000250E2EE0000-0x00000250E31E6000-memory.dmp

Filesize
3.0MB

Download
memory/2360-38-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2360-0-0x00007FFD9CDE3000-0x00007FFD9CDE5000-memory.dmp

Filesize
8KB

Download
memory/2360-7-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2360-1-0x00000000001C0000-0x00000000004C4000-memory.dmp

Filesize
3.0MB

Download
memory/2400-55-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/2400-58-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/2400-35-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/2400-32-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4872-33-0x00000000004C0000-0x0000000000774000-memory.dmp

Filesize
2.7MB

Download
memory/4872-57-0x00007FFD9CDE3000-0x00007FFD9CDE5000-memory.dmp

Filesize
8KB

Download
memory/4872-34-0x00007FFD9CDE3000-0x00007FFD9CDE5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads