nanocore | 36f15aee254275fbabb7fa07f09bc17c17b91624f22844f687f816b689a66c22

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent Arabian American Oil Company Tender..exe
Size

496KB
MD5

67d4023a5aaab69d59959d0728bed56c
SHA1

77cfae73cefa142e3ed5d960bef5247d04806bd1
SHA256

e6be68301afc61e68d370df534c24a654c4639654113a346bb5cea2a7195d0ce
SHA512

162df92e15d7bcad66e296e4b6e79fe72c4926257e087651ba85e1b0053d589f58b52a0ab7e60f5e7b234d878bb68ae027c6c697148c8c433a12f9117ff2a86e
SSDEEP

6144:OYJFyyAdPXFFkHLWIZX5SoIYuJoy/ReQxD3M0pisQf83zvzkbszOCCFU1WCcDcC1:OgtAhXFFkHTh5/ce4SWo4xSzZ

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

rolex.ddns.net:4354

91.192.100.3:4354

Mutex

40eac189-eeb0-451f-9b5a-4de11b5cec85

Attributes

activate_away_mode
true
backup_connection_host
91.192.100.3
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-04-08T09:03:22.291940136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4354
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
40eac189-eeb0-451f-9b5a-4de11b5cec85
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
rolex.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Urgent Arabian American Oil Company Tender..exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Urgent Arabian American Oil Company Tender..exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exe

description pid process target process

PID 3044 set thread context of 2636 3044 Urgent Arabian American Oil Company Tender..exe Urgent Arabian American Oil Company Tender..exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3068 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Urgent Arabian American Oil Company Tender..exe

description	pid	process	target process
PID 3044 set thread context of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe

pid	process
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exeUrgent Arabian American Oil Company Tender..exe

pid	process
3044	Urgent Arabian American Oil Company Tender..exe
3044	Urgent Arabian American Oil Company Tender..exe
3044	Urgent Arabian American Oil Company Tender..exe
2636	Urgent Arabian American Oil Company Tender..exe
2636	Urgent Arabian American Oil Company Tender..exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exe

pid process

2636 Urgent Arabian American Oil Company Tender..exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exeUrgent Arabian American Oil Company Tender..exe

description pid process

Token: SeDebugPrivilege 3044 Urgent Arabian American Oil Company Tender..exe
Token: SeDebugPrivilege 2636 Urgent Arabian American Oil Company Tender..exe

pid	process
2636	Urgent Arabian American Oil Company Tender..exe

description	pid	process
Token: SeDebugPrivilege	3044	Urgent Arabian American Oil Company Tender..exe
Token: SeDebugPrivilege	2636	Urgent Arabian American Oil Company Tender..exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exe

description	pid	process	target process
PID 3044 wrote to memory of 3068	3044	Urgent Arabian American Oil Company Tender..exe	schtasks.exe
PID 3044 wrote to memory of 3068	3044	Urgent Arabian American Oil Company Tender..exe	schtasks.exe
PID 3044 wrote to memory of 3068	3044	Urgent Arabian American Oil Company Tender..exe	schtasks.exe
PID 3044 wrote to memory of 3068	3044	Urgent Arabian American Oil Company Tender..exe	schtasks.exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636	3044	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe

C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "HWJIERY\HWJIERY" /XML "C:\Users\Admin\AppData\Roaming\HWJIERY\a00000.xml"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HWJIERY\a00000.xml
Filesize
1KB

MD5
ecee2f8ec824d89012411447223f1454

SHA1
46d030d3779cdf149cf389db5408a3113fef5c6f

SHA256
9a8bb653aa4afad05bf574ef21d489318a62a447a1982618bfc59d046c8b31db

SHA512
ce64505222d79ded48554ccbde640142f4e1f84124d5639585b5fde25deeb31a0374c75db88dd03a5715c5bd06197c5a55ce7421fcbd83086cc080a748c2e74a

Download Submit
memory/2636-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2636-24-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2636-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2636-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2636-22-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2636-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2636-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3044-0-0x0000000074AC1000-0x0000000074AC2000-memory.dmp

Filesize
4KB

Download
memory/3044-2-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/3044-21-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/3044-1-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download