nanocore | dc1649633cb90b8456c19c1b53675ad07d0bf2774d33b8c8f650f1e65489d6fc

General

Target

dllhost.exe
Size

1.8MB
MD5

51710e06bbd844ae2b0494e5c142dcbe
SHA1

68d8378d23edc21b09be4d56e443a4204c749b6a
SHA256

dc1649633cb90b8456c19c1b53675ad07d0bf2774d33b8c8f650f1e65489d6fc
SHA512

eac92e729da84e54c5f010f5cbf87d280a901745e19608187563229c0b0222c2b23c6571ee9843a7664cb7b245d66e961fb3f540ba0c4ddb0eb58e05b614c50c

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	dllhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

dllhost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dllhost.exe

pid process

648 dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

pid	process
648	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

dllhost.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	dllhost.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	dllhost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

204 schtasks.exe
2008 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

dllhost.exe

pid process

648 dllhost.exe
648 dllhost.exe
648 dllhost.exe
648 dllhost.exe
648 dllhost.exe
648 dllhost.exe
648 dllhost.exe
648 dllhost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

648 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dllhost.exe

description pid process

Token: SeDebugPrivilege 648 dllhost.exe
Token: SeDebugPrivilege 648 dllhost.exe

pid	process
204	schtasks.exe
2008	schtasks.exe

pid	process
648	dllhost.exe
648	dllhost.exe
648	dllhost.exe
648	dllhost.exe
648	dllhost.exe
648	dllhost.exe
648	dllhost.exe
648	dllhost.exe

pid	process
648	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	648	dllhost.exe
Token: SeDebugPrivilege	648	dllhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dllhost.exe

description	pid	process	target process
PID 648 wrote to memory of 204	648	dllhost.exe	schtasks.exe
PID 648 wrote to memory of 204	648	dllhost.exe	schtasks.exe
PID 648 wrote to memory of 204	648	dllhost.exe	schtasks.exe
PID 648 wrote to memory of 2008	648	dllhost.exe	schtasks.exe
PID 648 wrote to memory of 2008	648	dllhost.exe	schtasks.exe
PID 648 wrote to memory of 2008	648	dllhost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5B83.tmp"
2⤵
- Creates scheduled task(s)
PID:204

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5CEC.tmp"
2⤵
- Creates scheduled task(s)
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5B83.tmp
MD5
ee10d5ce3e711f0e871cea6684896e1c

SHA1
62665575bb01b06827ab3d21d101bc61be54a91e

SHA256
7ff4af41079f53c1c4acf8002328345f8314074f9ebee0bb0511169fffbad2b7

SHA512
25f2972dea0468b9882b4d4166347b69cbb9f5a26d959ccacfedbc07800ab3db4e3aa044668d535d47852c6f3016f1a2e7e3e2c4475410aae8dfe64982ea62ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CEC.tmp
MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
memory/204-6-0x0000000000000000-mapping.dmp

Download
memory/648-3-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/648-2-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/648-5-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/648-4-0x0000000076FC4000-0x0000000076FC5000-memory.dmp

Filesize
4KB

Download
memory/2008-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads