nanocore | b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nano.exe
Size

585KB
MD5

41d27d71597c9d1163fb58a816223962
SHA1

2ae197a2724967fb0ae77ee0c20d95d354b9e5cb
SHA256

b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c
SHA512

555aa48eaa46f83933e34c6e8ecaf79c8f1756fb9de79181e4132bc2d02c5789abba90458ad347a374f34fc829f83b36d6666f64a657bf7e99ca5cb9aac2e1a0
SSDEEP

12288:2aYEnxStMSe+LQMNQ7ZQhIyOQSNSY2CNZ+TB29JvNgRh:J/nxSiSCMNQFwt3Jx8gB29Jv2

Score

10^/10

nanocore evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

2023endofyear.duckdns.org:15170

127.0.0.1:15170

Mutex

68e7ea47-3f3c-4af7-9707-6d09d0468009

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-12-29T09:19:37.611227236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
15170
default_group
GLOBAL
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
68e7ea47-3f3c-4af7-9707-6d09d0468009
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
2023endofyear.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2108 powershell.exe
2644 powershell.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

nano.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" nano.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nano.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

nano.exe

description pid process target process

PID 2060 set thread context of 2768 2060 nano.exe nano.exe
Drops file in Program Files directory 2 IoCs

Processes:

nano.exe

description ioc process

File created C:\Program Files (x86)\NAS Host\nashost.exe nano.exe
File opened for modification C:\Program Files (x86)\NAS Host\nashost.exe nano.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2668 schtasks.exe
1800 schtasks.exe
2616 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exenano.exe

pid process

2108 powershell.exe
2644 powershell.exe
2768 nano.exe
2768 nano.exe
2768 nano.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nano.exe

pid process

2768 nano.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exenano.exe

description pid process

Token: SeDebugPrivilege 2644 powershell.exe
Token: SeDebugPrivilege 2108 powershell.exe
Token: SeDebugPrivilege 2768 nano.exe

pid	process
2108	powershell.exe
2644	powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe"	nano.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nano.exe

description	pid	process	target process
PID 2060 set thread context of 2768	2060	nano.exe	nano.exe

description	ioc	process
File created	C:\Program Files (x86)\NAS Host\nashost.exe	nano.exe
File opened for modification	C:\Program Files (x86)\NAS Host\nashost.exe	nano.exe

pid	process
2668	schtasks.exe
1800	schtasks.exe
2616	schtasks.exe

pid	process
2108	powershell.exe
2644	powershell.exe
2768	nano.exe
2768	nano.exe
2768	nano.exe

pid	process
2768	nano.exe

description	pid	process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2768	nano.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

nano.exenano.exe

description	pid	process	target process
PID 2060 wrote to memory of 2108	2060	nano.exe	powershell.exe
PID 2060 wrote to memory of 2108	2060	nano.exe	powershell.exe
PID 2060 wrote to memory of 2108	2060	nano.exe	powershell.exe
PID 2060 wrote to memory of 2108	2060	nano.exe	powershell.exe
PID 2060 wrote to memory of 2644	2060	nano.exe	powershell.exe
PID 2060 wrote to memory of 2644	2060	nano.exe	powershell.exe
PID 2060 wrote to memory of 2644	2060	nano.exe	powershell.exe
PID 2060 wrote to memory of 2644	2060	nano.exe	powershell.exe
PID 2060 wrote to memory of 2668	2060	nano.exe	schtasks.exe
PID 2060 wrote to memory of 2668	2060	nano.exe	schtasks.exe
PID 2060 wrote to memory of 2668	2060	nano.exe	schtasks.exe
PID 2060 wrote to memory of 2668	2060	nano.exe	schtasks.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2060 wrote to memory of 2768	2060	nano.exe	nano.exe
PID 2768 wrote to memory of 1800	2768	nano.exe	schtasks.exe
PID 2768 wrote to memory of 1800	2768	nano.exe	schtasks.exe
PID 2768 wrote to memory of 1800	2768	nano.exe	schtasks.exe
PID 2768 wrote to memory of 1800	2768	nano.exe	schtasks.exe
PID 2768 wrote to memory of 2616	2768	nano.exe	schtasks.exe
PID 2768 wrote to memory of 2616	2768	nano.exe	schtasks.exe
PID 2768 wrote to memory of 2616	2768	nano.exe	schtasks.exe
PID 2768 wrote to memory of 2616	2768	nano.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\nano.exe
"C:\Users\Admin\AppData\Local\Temp\nano.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\nano.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EBC.tmp"
2⤵
- Creates scheduled task(s)
PID:2668

C:\Users\Admin\AppData\Local\Temp\nano.exe
"C:\Users\Admin\AppData\Local\Temp\nano.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp518A.tmp"
3⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp51E8.tmp"
3⤵
- Creates scheduled task(s)
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4EBC.tmp
Filesize
1KB

MD5
bea4e326d6dff14d735324d27e03956f

SHA1
c94861e7260f1b18d0a86742a3300f888224c4c4

SHA256
71c9a4181f05fc659666cafc040549140703a2cbe063dd70ee408eb41141421e

SHA512
1d8211e31bd90d55caf6674166b68b499a3f3e74e29b342472617a378fa99cff20c6063ef4358abdd5cdc12f6a7af375efb0297f150f02e5b79fa73cc877e315

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp518A.tmp
Filesize
1KB

MD5
082cbbf4722a31333759fefb09e31258

SHA1
baf14a5f6496b590dc89bd978b06acdfe66f4480

SHA256
6fc807dc7258be0c9a45ce66659d4893c3fbecf33d08c4a4452153ba64022f69

SHA512
e8576972437179a75afbe87d415d683ae8d80c33bab31626a93b481df87ad8207b87497360fd15986d94f6792b4aee50b9910fe41c4a799a64f54b575cccc6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51E8.tmp
Filesize
1KB

MD5
9f554f602c22cfc20079e966d177fadb

SHA1
789baa3425849bf239e47c6bcf352e6693a8c337

SHA256
4c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1

SHA512
b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\APVH8Y30AL2POFPD1ZPU.temp
Filesize
7KB

MD5
489175d72d90d28cf1919fdce53e24f8

SHA1
b70f9a2e18550fd9e0c6dc4ca5a45f483915f403

SHA256
0d2d8aea674cbcfbafbf207564520f19a3ca0ea9e3b5880ca7166c90bc2539a0

SHA512
b8028d57c98b854f87c669c5d3e935de5c2b1751022223c0c7538be057555218911e353837592fe1e779d77ecdeb4bbbbcd1878f5c66b8df098ed3a2e96ceb95

Download Submit
memory/2060-6-0x0000000002050000-0x00000000020CC000-memory.dmp

Filesize
496KB

Download
memory/2060-31-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2060-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/2060-4-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2060-3-0x0000000000330000-0x0000000000344000-memory.dmp

Filesize
80KB

Download
memory/2060-1-0x0000000000950000-0x00000000009E8000-memory.dmp

Filesize
608KB

Download
memory/2060-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2060-5-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2768-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2768-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-40-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2768-41-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2768-42-0x0000000000660000-0x000000000067E000-memory.dmp

Filesize
120KB

Download
memory/2768-43-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download