nanocore | f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8

General

Target

767E1C497FF0D617DE66C2D8ECE44C49.exe
Size

203KB
MD5

767e1c497ff0d617de66c2d8ece44c49
SHA1

118e1e764cd05b98c631bb9a5687acae94f208e1
SHA256

f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8
SHA512

f24acf37c91c0fbfb02c17566d5b9d3ff548bd414d11f343ab56b4105d257721fc54c57254d3078ae30d4ec54d403eb5af3e50a648b4b1f8c579d745f50b492c

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe"	767E1C497FF0D617DE66C2D8ECE44C49.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	767E1C497FF0D617DE66C2D8ECE44C49.exe

Drops file in Program Files directory 2 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Service\dpisv.exe	767E1C497FF0D617DE66C2D8ECE44C49.exe
File opened for modification	C:\Program Files (x86)\DPI Service\dpisv.exe	767E1C497FF0D617DE66C2D8ECE44C49.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1620 schtasks.exe
1328 schtasks.exe

pid	process
1620	schtasks.exe
1328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

pid	process
2044	767E1C497FF0D617DE66C2D8ECE44C49.exe
2044	767E1C497FF0D617DE66C2D8ECE44C49.exe
2044	767E1C497FF0D617DE66C2D8ECE44C49.exe
2044	767E1C497FF0D617DE66C2D8ECE44C49.exe
2044	767E1C497FF0D617DE66C2D8ECE44C49.exe
2044	767E1C497FF0D617DE66C2D8ECE44C49.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

pid process

2044 767E1C497FF0D617DE66C2D8ECE44C49.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description pid process

Token: SeDebugPrivilege 2044 767E1C497FF0D617DE66C2D8ECE44C49.exe

description	pid	process
Token: SeDebugPrivilege	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	pid	process	target process
PID 2044 wrote to memory of 1328	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 2044 wrote to memory of 1328	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 2044 wrote to memory of 1328	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 2044 wrote to memory of 1328	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 2044 wrote to memory of 1620	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 2044 wrote to memory of 1620	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 2044 wrote to memory of 1620	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 2044 wrote to memory of 1620	2044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\767E1C497FF0D617DE66C2D8ECE44C49.exe
"C:\Users\Admin\AppData\Local\Temp\767E1C497FF0D617DE66C2D8ECE44C49.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp62D8.tmp"
2⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp648E.tmp"
2⤵
- Creates scheduled task(s)
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp62D8.tmp
MD5
67804f816e379fb05d068938dfa88076

SHA1
9f7d749bb4e76adccd4720a80513df2cf459ad2f

SHA256
6a460eaaabdb9c64cc3f9f19ea8d135e4f44ba4f5cd0da36dbad5e8a68d96136

SHA512
0b57be2044357e2be038a7d7790a9330e87f3ec5e12df39852e72390548930545e8b4092333489253044176959a88f8ab3f86eb5b576daab89fadadd58907bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp648E.tmp
MD5
a9af285136db016a568e4a53208f21d0

SHA1
e1afef2b7ee8ae945353315daa19a15574b435b7

SHA256
7dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c

SHA512
80a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e

Download Submit
memory/1328-61-0x0000000000000000-mapping.dmp

Download
memory/1620-63-0x0000000000000000-mapping.dmp

Download
memory/2044-59-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/2044-60-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads