nanocore | 3513df7406eef953434f0c75bcdf33c112ee42d6f81edb1928d1e008b691d703

General

Target

f2651b458654fc1799efe0c9ab71fdbf.exe
Size

956KB
MD5

f2651b458654fc1799efe0c9ab71fdbf
SHA1

acb40c16a5163ccaa66a5a86084005d696fd590a
SHA256

3513df7406eef953434f0c75bcdf33c112ee42d6f81edb1928d1e008b691d703
SHA512

19e1a21a15391eb6d77248d3bb4d0bc8ce3685b718a674eea627166b59e9edc3be69cc99eae1885c054a5f52eaa3a130383cd3757247b08b544eb97677ce55f2

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f2651b458654fc1799efe0c9ab71fdbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe"	f2651b458654fc1799efe0c9ab71fdbf.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f2651b458654fc1799efe0c9ab71fdbf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f2651b458654fc1799efe0c9ab71fdbf.exe

Drops file in Program Files directory 2 IoCs

Processes:

f2651b458654fc1799efe0c9ab71fdbf.exe

description	ioc	process
File created	C:\Program Files (x86)\WAN Service\wansv.exe	f2651b458654fc1799efe0c9ab71fdbf.exe
File opened for modification	C:\Program Files (x86)\WAN Service\wansv.exe	f2651b458654fc1799efe0c9ab71fdbf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2032 schtasks.exe

pid	process
2032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f2651b458654fc1799efe0c9ab71fdbf.exe

pid	process
3888	f2651b458654fc1799efe0c9ab71fdbf.exe
3888	f2651b458654fc1799efe0c9ab71fdbf.exe
3888	f2651b458654fc1799efe0c9ab71fdbf.exe
3888	f2651b458654fc1799efe0c9ab71fdbf.exe
3888	f2651b458654fc1799efe0c9ab71fdbf.exe
3888	f2651b458654fc1799efe0c9ab71fdbf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f2651b458654fc1799efe0c9ab71fdbf.exe

pid process

3888 f2651b458654fc1799efe0c9ab71fdbf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f2651b458654fc1799efe0c9ab71fdbf.exe

description pid process

Token: SeDebugPrivilege 3888 f2651b458654fc1799efe0c9ab71fdbf.exe

description	pid	process
Token: SeDebugPrivilege	3888	f2651b458654fc1799efe0c9ab71fdbf.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f2651b458654fc1799efe0c9ab71fdbf.execmd.exe

description	pid	process	target process
PID 3888 wrote to memory of 2532	3888	f2651b458654fc1799efe0c9ab71fdbf.exe	cmd.exe
PID 3888 wrote to memory of 2532	3888	f2651b458654fc1799efe0c9ab71fdbf.exe	cmd.exe
PID 3888 wrote to memory of 2532	3888	f2651b458654fc1799efe0c9ab71fdbf.exe	cmd.exe
PID 2532 wrote to memory of 2032	2532	cmd.exe	schtasks.exe
PID 2532 wrote to memory of 2032	2532	cmd.exe	schtasks.exe
PID 2532 wrote to memory of 2032	2532	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
"C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN start /XML "C:\Users\Admin\AppData\Local\Temp\75485bf249a64428a958453421129ae0.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN start /XML "C:\Users\Admin\AppData\Local\Temp\75485bf249a64428a958453421129ae0.xml"
3⤵
- Creates scheduled task(s)
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\75485bf249a64428a958453421129ae0.xml
MD5
9b9f55269777478c14d0df70aca1e605

SHA1
70cb6623e23bb5ea8a4b2c955196c8220fafea0c

SHA256
6608a0d42fa40e15f4efbfe0ed68ecc41446c46b650f2dbcd55b36d1ef20da48

SHA512
a1c7756f26ed442c7fe88745a5654d0318f77d0af75a2e64d8411118fa3d3e8fca08015b631aeda9223363738fbe8e48a4bc3770e16023cd19733c4dff90343b

Download Submit
memory/2032-3-0x0000000000000000-mapping.dmp

Download
memory/2532-2-0x0000000000000000-mapping.dmp

Download
memory/3888-6-0x000000001D2A0000-0x000000001D2A1000-memory.dmp

Filesize
4KB

Download
memory/3888-7-0x000000001D2A1000-0x000000001D2A2000-memory.dmp

Filesize
4KB

Download
memory/3888-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3888-8-0x000000001D2A2000-0x000000001D2A4000-memory.dmp

Filesize
8KB

Download
memory/3888-9-0x000000001D2A7000-0x000000001D2A8000-memory.dmp

Filesize
4KB

Download
memory/3888-10-0x000000001D2A8000-0x000000001D2A9000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads