nanocore | e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67

General

Target

Package_details.exe
Size

496KB
MD5

ce3c5367fb067a45f5fa10c35ca23a28
SHA1

9d0f4d746747a6fd13a48b1a867eb8d103d9daec
SHA256

e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
SHA512

ae46e93dd82128efd0c1f8dab094b7a51716a6bcde6053a66efdd8724115e7b6d4a0fab1caf0775482f358488edefe81becdd01a2a820fba9b338c30cb2d8a07

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Package_details.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	Package_details.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Package_details.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Package_details.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Package_details.exe

description pid process target process

PID 500 set thread context of 3676 500 Package_details.exe Package_details.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Package_details.exe

description	pid	process	target process
PID 500 set thread context of 3676	500	Package_details.exe	Package_details.exe

Drops file in Program Files directory 2 IoCs

Processes:

Package_details.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	Package_details.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	Package_details.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

932 schtasks.exe
2028 schtasks.exe
2536 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Package_details.exe

pid process

3676 Package_details.exe
3676 Package_details.exe
3676 Package_details.exe
3676 Package_details.exe
3676 Package_details.exe
3676 Package_details.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Package_details.exe

pid process

3676 Package_details.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Package_details.exe

pid process

500 Package_details.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Package_details.exe

description pid process

Token: SeDebugPrivilege 3676 Package_details.exe

pid	process
932	schtasks.exe
2028	schtasks.exe
2536	schtasks.exe

pid	process
3676	Package_details.exe
3676	Package_details.exe
3676	Package_details.exe
3676	Package_details.exe
3676	Package_details.exe
3676	Package_details.exe

pid	process
3676	Package_details.exe

pid	process
500	Package_details.exe

description	pid	process
Token: SeDebugPrivilege	3676	Package_details.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Package_details.execmd.exePackage_details.exe

description	pid	process	target process
PID 500 wrote to memory of 3716	500	Package_details.exe	cmd.exe
PID 500 wrote to memory of 3716	500	Package_details.exe	cmd.exe
PID 500 wrote to memory of 3716	500	Package_details.exe	cmd.exe
PID 500 wrote to memory of 3676	500	Package_details.exe	Package_details.exe
PID 500 wrote to memory of 3676	500	Package_details.exe	Package_details.exe
PID 500 wrote to memory of 3676	500	Package_details.exe	Package_details.exe
PID 500 wrote to memory of 3676	500	Package_details.exe	Package_details.exe
PID 3716 wrote to memory of 2536	3716	cmd.exe	schtasks.exe
PID 3716 wrote to memory of 2536	3716	cmd.exe	schtasks.exe
PID 3716 wrote to memory of 2536	3716	cmd.exe	schtasks.exe
PID 3676 wrote to memory of 932	3676	Package_details.exe	schtasks.exe
PID 3676 wrote to memory of 932	3676	Package_details.exe	schtasks.exe
PID 3676 wrote to memory of 932	3676	Package_details.exe	schtasks.exe
PID 3676 wrote to memory of 2028	3676	Package_details.exe	schtasks.exe
PID 3676 wrote to memory of 2028	3676	Package_details.exe	schtasks.exe
PID 3676 wrote to memory of 2028	3676	Package_details.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Package_details.exe
"C:\Users\Admin\AppData\Local\Temp\Package_details.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN fonts /XML "C:\Users\Admin\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN fonts /XML "C:\Users\Admin\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml"
3⤵
- Creates scheduled task(s)
PID:2536

C:\Users\Admin\AppData\Local\Temp\Package_details.exe
"C:\Users\Admin\AppData\Local\Temp\Package_details.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp72A5.tmp"
3⤵
- Creates scheduled task(s)
PID:932

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7333.tmp"
3⤵
- Creates scheduled task(s)
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml
MD5
5fc29acbcdfe7d00af3d0c01af398433

SHA1
8f827b7db5de95bfc5dd411ee6fdc1e937c64acd

SHA256
91b8e54d330ff1288ac1d000656d3bdb4aea77647e2054fbd701d14b2d2e4e88

SHA512
ef4302980f8d362be186097c6a91ffdd95ad9910983b44c769fa378531c513ed1a8aa1db385b0ce64221a54479fc6a9bce55a34b41ac5cf8301473cd3ef0c966

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp72A5.tmp
MD5
4064530f2d7e47af75d251d052abad47

SHA1
991874bdda0bdf847e31ba3040776fd95969a506

SHA256
876a0ea3fb8e063b11642f06ada2a6ebb27fc3106cc9c7a514dffbe97fee5612

SHA512
f64269bada83ada3330484cb8a12c44eed027a1c1a300c268a9032c4a85795f21404ad7ad479f8d0f72280eb713852d7e50f65dee84b038ebf02cdb9f40e2005

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7333.tmp
MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
memory/500-3-0x0000000002980000-0x00000000029C8000-memory.dmp

Filesize
288KB

Download
memory/932-7-0x0000000000000000-mapping.dmp

Download
memory/2028-9-0x0000000000000000-mapping.dmp

Download
memory/2536-5-0x0000000000000000-mapping.dmp

Download
memory/3676-1-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3676-2-0x000000000040188B-mapping.dmp

Download
memory/3676-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3716-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads