nanocore | 1c55b3c97920d56dddbc38e6ba3c5dcbc7f3072792915b51e146b3dd92b3f392

General

Target

0e4551b1546fa898c55b2511d9fca86d.exe
Size

853KB
MD5

0e4551b1546fa898c55b2511d9fca86d
SHA1

51a6d274b1283640e248431bd887ef1f170371f9
SHA256

1c55b3c97920d56dddbc38e6ba3c5dcbc7f3072792915b51e146b3dd92b3f392
SHA512

ed09f78fbda757a1e154541c0ef2588bec2e6af6889246dcfaff2fa2ba78169edbcccdc1ada228555abe233d1ab69aa375288452e9cc90d7c502eb322353706a

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e4551b1546fa898c55b2511d9fca86d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	0e4551b1546fa898c55b2511d9fca86d.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0e4551b1546fa898c55b2511d9fca86d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0e4551b1546fa898c55b2511d9fca86d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0e4551b1546fa898c55b2511d9fca86d.exe

description pid process target process

PID 1400 set thread context of 3268 1400 0e4551b1546fa898c55b2511d9fca86d.exe 0e4551b1546fa898c55b2511d9fca86d.exe

description	pid	process	target process
PID 1400 set thread context of 3268	1400	0e4551b1546fa898c55b2511d9fca86d.exe	0e4551b1546fa898c55b2511d9fca86d.exe

Drops file in Program Files directory 2 IoCs

Processes:

0e4551b1546fa898c55b2511d9fca86d.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	0e4551b1546fa898c55b2511d9fca86d.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	0e4551b1546fa898c55b2511d9fca86d.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3948 schtasks.exe

pid	process
3948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

0e4551b1546fa898c55b2511d9fca86d.exe

pid	process
3268	0e4551b1546fa898c55b2511d9fca86d.exe
3268	0e4551b1546fa898c55b2511d9fca86d.exe
3268	0e4551b1546fa898c55b2511d9fca86d.exe
3268	0e4551b1546fa898c55b2511d9fca86d.exe
3268	0e4551b1546fa898c55b2511d9fca86d.exe
3268	0e4551b1546fa898c55b2511d9fca86d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0e4551b1546fa898c55b2511d9fca86d.exe

pid process

3268 0e4551b1546fa898c55b2511d9fca86d.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0e4551b1546fa898c55b2511d9fca86d.exe

pid process

1400 0e4551b1546fa898c55b2511d9fca86d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0e4551b1546fa898c55b2511d9fca86d.exe

description pid process

Token: SeDebugPrivilege 3268 0e4551b1546fa898c55b2511d9fca86d.exe

pid	process
1400	0e4551b1546fa898c55b2511d9fca86d.exe

description	pid	process
Token: SeDebugPrivilege	3268	0e4551b1546fa898c55b2511d9fca86d.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

0e4551b1546fa898c55b2511d9fca86d.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 3432	1400	0e4551b1546fa898c55b2511d9fca86d.exe	cmd.exe
PID 1400 wrote to memory of 3432	1400	0e4551b1546fa898c55b2511d9fca86d.exe	cmd.exe
PID 1400 wrote to memory of 3432	1400	0e4551b1546fa898c55b2511d9fca86d.exe	cmd.exe
PID 1400 wrote to memory of 3268	1400	0e4551b1546fa898c55b2511d9fca86d.exe	0e4551b1546fa898c55b2511d9fca86d.exe
PID 1400 wrote to memory of 3268	1400	0e4551b1546fa898c55b2511d9fca86d.exe	0e4551b1546fa898c55b2511d9fca86d.exe
PID 1400 wrote to memory of 3268	1400	0e4551b1546fa898c55b2511d9fca86d.exe	0e4551b1546fa898c55b2511d9fca86d.exe
PID 1400 wrote to memory of 3268	1400	0e4551b1546fa898c55b2511d9fca86d.exe	0e4551b1546fa898c55b2511d9fca86d.exe
PID 3432 wrote to memory of 3948	3432	cmd.exe	schtasks.exe
PID 3432 wrote to memory of 3948	3432	cmd.exe	schtasks.exe
PID 3432 wrote to memory of 3948	3432	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0e4551b1546fa898c55b2511d9fca86d.exe
"C:\Users\Admin\AppData\Local\Temp\0e4551b1546fa898c55b2511d9fca86d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN start /XML "C:\Users\Admin\AppData\Local\Temp\16c14909c3e6445da3680b44be5a0ed2.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN start /XML "C:\Users\Admin\AppData\Local\Temp\16c14909c3e6445da3680b44be5a0ed2.xml"
3⤵
- Creates scheduled task(s)
PID:3948

C:\Users\Admin\AppData\Local\Temp\0e4551b1546fa898c55b2511d9fca86d.exe
"C:\Users\Admin\AppData\Local\Temp\0e4551b1546fa898c55b2511d9fca86d.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16c14909c3e6445da3680b44be5a0ed2.xml
MD5
43c05bf3455e78df840d6f2bfcfbcb59

SHA1
e61b3fb27d8db7a512c054b514928782824c2162

SHA256
3e8480932782879bba79ffd9c3067aeb01931308abccb9aa992572708c585ab1

SHA512
2a5b739a793d8fd158f8f3783d649ffbbeb8df21576d634f48908983d2b2acbad95c87ebec8ddf764de4bc841a7228eabe840e497b0824c7a7b8c7dca093c4d3

Download Submit
memory/3268-3-0x000000000040188B-mapping.dmp

Download
memory/3268-7-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3268-6-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-9-0x0000000002812000-0x0000000002814000-memory.dmp

Filesize
8KB

Download
memory/3268-8-0x0000000002811000-0x0000000002812000-memory.dmp

Filesize
4KB

Download
memory/3268-11-0x0000000002818000-0x0000000002819000-memory.dmp

Filesize
4KB

Download
memory/3268-10-0x0000000002817000-0x0000000002818000-memory.dmp

Filesize
4KB

Download
memory/3432-2-0x0000000000000000-mapping.dmp

Download
memory/3948-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads