nanocore | 36f15aee254275fbabb7fa07f09bc17c17b91624f22844f687f816b689a66c22

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent Arabian American Oil Company Tender..exe
Size

496KB
MD5

67d4023a5aaab69d59959d0728bed56c
SHA1

77cfae73cefa142e3ed5d960bef5247d04806bd1
SHA256

e6be68301afc61e68d370df534c24a654c4639654113a346bb5cea2a7195d0ce
SHA512

162df92e15d7bcad66e296e4b6e79fe72c4926257e087651ba85e1b0053d589f58b52a0ab7e60f5e7b234d878bb68ae027c6c697148c8c433a12f9117ff2a86e
SSDEEP

6144:OYJFyyAdPXFFkHLWIZX5SoIYuJoy/ReQxD3M0pisQf83zvzkbszOCCFU1WCcDcC1:OgtAhXFFkHTh5/ce4SWo4xSzZ

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

rolex.ddns.net:4354

91.192.100.3:4354

Mutex

40eac189-eeb0-451f-9b5a-4de11b5cec85

Attributes

activate_away_mode
true
backup_connection_host
91.192.100.3
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-04-08T09:03:22.291940136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4354
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
40eac189-eeb0-451f-9b5a-4de11b5cec85
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
rolex.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Urgent Arabian American Oil Company Tender..exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Urgent Arabian American Oil Company Tender..exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Urgent Arabian American Oil Company Tender..exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Urgent Arabian American Oil Company Tender..exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exe

description pid process target process

PID 4716 set thread context of 2748 4716 Urgent Arabian American Oil Company Tender..exe Urgent Arabian American Oil Company Tender..exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1896 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Urgent Arabian American Oil Company Tender..exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Urgent Arabian American Oil Company Tender..exe

description	pid	process	target process
PID 4716 set thread context of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe

pid	process
1896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exeUrgent Arabian American Oil Company Tender..exe

pid	process
4716	Urgent Arabian American Oil Company Tender..exe
4716	Urgent Arabian American Oil Company Tender..exe
4716	Urgent Arabian American Oil Company Tender..exe
2748	Urgent Arabian American Oil Company Tender..exe
2748	Urgent Arabian American Oil Company Tender..exe
2748	Urgent Arabian American Oil Company Tender..exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exe

pid process

2748 Urgent Arabian American Oil Company Tender..exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exeUrgent Arabian American Oil Company Tender..exe

description pid process

Token: SeDebugPrivilege 4716 Urgent Arabian American Oil Company Tender..exe
Token: SeDebugPrivilege 2748 Urgent Arabian American Oil Company Tender..exe

pid	process
2748	Urgent Arabian American Oil Company Tender..exe

description	pid	process
Token: SeDebugPrivilege	4716	Urgent Arabian American Oil Company Tender..exe
Token: SeDebugPrivilege	2748	Urgent Arabian American Oil Company Tender..exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Urgent Arabian American Oil Company Tender..exe

description	pid	process	target process
PID 4716 wrote to memory of 1896	4716	Urgent Arabian American Oil Company Tender..exe	schtasks.exe
PID 4716 wrote to memory of 1896	4716	Urgent Arabian American Oil Company Tender..exe	schtasks.exe
PID 4716 wrote to memory of 1896	4716	Urgent Arabian American Oil Company Tender..exe	schtasks.exe
PID 4716 wrote to memory of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748	4716	Urgent Arabian American Oil Company Tender..exe	Urgent Arabian American Oil Company Tender..exe

C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "HWJIERY\HWJIERY" /XML "C:\Users\Admin\AppData\Roaming\HWJIERY\a44444.xml"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Urgent Arabian American Oil Company Tender..exe.log
Filesize
223B

MD5
1cc4c5b51e50ec74a6880b50ecbee28b

SHA1
1ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba

SHA256
0556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b

SHA512
5d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706

Download Submit
C:\Users\Admin\AppData\Roaming\HWJIERY\a44444.xml
Filesize
1KB

MD5
5aabcb8211cd687e328665c30bc854d5

SHA1
5dd9a3f311d80da9fa0459ad911a71358d8e4667

SHA256
5f84277d7cb7962b0a18228002df12f5a1231d47c3c841d27af6bea3d93ecc89

SHA512
2f6af60ff8bea976c70cc339349ace823349bac33082436cd6edfbbfdd2e35b91100cecea194d9b9cd8c43641e638b1c554d5def1f342ed9c7218ec1917ae5fc

Download Submit
memory/2748-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2748-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2748-13-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2748-14-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2748-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2748-16-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2748-17-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2748-18-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4716-2-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4716-0-0x0000000074D22000-0x0000000074D23000-memory.dmp

Filesize
4KB

Download
memory/4716-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4716-12-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download