nanocore | dc1649633cb90b8456c19c1b53675ad07d0bf2774d33b8c8f650f1e65489d6fc

General

Target

dllhost.exe
Size

1.8MB
MD5

51710e06bbd844ae2b0494e5c142dcbe
SHA1

68d8378d23edc21b09be4d56e443a4204c749b6a
SHA256

dc1649633cb90b8456c19c1b53675ad07d0bf2774d33b8c8f650f1e65489d6fc
SHA512

eac92e729da84e54c5f010f5cbf87d280a901745e19608187563229c0b0222c2b23c6571ee9843a7664cb7b245d66e961fb3f540ba0c4ddb0eb58e05b614c50c

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	dllhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

dllhost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dllhost.exe

pid process

1152 dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

pid	process
1152	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

dllhost.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	dllhost.exe
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	dllhost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

748 schtasks.exe
672 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

dllhost.exe

pid process

1152 dllhost.exe
1152 dllhost.exe
1152 dllhost.exe
1152 dllhost.exe
1152 dllhost.exe
1152 dllhost.exe
1152 dllhost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

1152 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dllhost.exe

description pid process

Token: SeDebugPrivilege 1152 dllhost.exe
Token: SeDebugPrivilege 1152 dllhost.exe

pid	process
748	schtasks.exe
672	schtasks.exe

pid	process
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe

pid	process
1152	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	1152	dllhost.exe
Token: SeDebugPrivilege	1152	dllhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dllhost.exe

description	pid	process	target process
PID 1152 wrote to memory of 748	1152	dllhost.exe	schtasks.exe
PID 1152 wrote to memory of 748	1152	dllhost.exe	schtasks.exe
PID 1152 wrote to memory of 748	1152	dllhost.exe	schtasks.exe
PID 1152 wrote to memory of 748	1152	dllhost.exe	schtasks.exe
PID 1152 wrote to memory of 672	1152	dllhost.exe	schtasks.exe
PID 1152 wrote to memory of 672	1152	dllhost.exe	schtasks.exe
PID 1152 wrote to memory of 672	1152	dllhost.exe	schtasks.exe
PID 1152 wrote to memory of 672	1152	dllhost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD98.tmp"
2⤵
- Creates scheduled task(s)
PID:748

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEF0.tmp"
2⤵
- Creates scheduled task(s)
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD98.tmp
MD5
ee10d5ce3e711f0e871cea6684896e1c

SHA1
62665575bb01b06827ab3d21d101bc61be54a91e

SHA256
7ff4af41079f53c1c4acf8002328345f8314074f9ebee0bb0511169fffbad2b7

SHA512
25f2972dea0468b9882b4d4166347b69cbb9f5a26d959ccacfedbc07800ab3db4e3aa044668d535d47852c6f3016f1a2e7e3e2c4475410aae8dfe64982ea62ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF0.tmp
MD5
819bdbdac3be050783d203020e6c4c30

SHA1
a373521fceb21cac8b93e55ee48578e40a6e740b

SHA256
0e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053

SHA512
cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd

Download Submit
memory/672-8-0x0000000000000000-mapping.dmp

Download
memory/748-5-0x0000000000000000-mapping.dmp

Download
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1152-4-0x00000000045D0000-0x00000000045E1000-memory.dmp

Filesize
68KB

Download
memory/1152-3-0x00000000041C0000-0x00000000041D1000-memory.dmp

Filesize
68KB

Download
memory/1152-6-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads