nanocore | 6f6d5cffc1e927811613347c2c10f9071434fedde5780114089981e494b573a7

Analysis

max time kernel
147s
max time network
163s
platform
windows10_x64
resource
win10v20210410
submitted
21-07-2021 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TRwrC.exe
Size

202KB
MD5

eaa9755979d4edeac9c48ffb1f42551c
SHA1

0ba5fc95f551f89648e0ddae327e60ffa417712f
SHA256

6f6d5cffc1e927811613347c2c10f9071434fedde5780114089981e494b573a7
SHA512

37fc60d70c6e573ef2ff1cbdc984614e6ececbee34966fb11d21703b222a3d32d64f2d519b4617c2c33ab5ad81a60fcf65e8d39ab62c145a070657d94918beda

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TRwrC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe"	TRwrC.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

TRwrC.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TRwrC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TRwrC.exe

Drops file in Program Files directory 2 IoCs

Processes:

TRwrC.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Manager\issmgr.exe	TRwrC.exe
File opened for modification	C:\Program Files (x86)\ISS Manager\issmgr.exe	TRwrC.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

TRwrC.exe

pid process

3876 TRwrC.exe
3876 TRwrC.exe
3876 TRwrC.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TRwrC.exe

pid process

3876 TRwrC.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TRwrC.exe

description pid process

Token: SeDebugPrivilege 3876 TRwrC.exe

pid	process
3876	TRwrC.exe
3876	TRwrC.exe
3876	TRwrC.exe

pid	process
3876	TRwrC.exe

description	pid	process
Token: SeDebugPrivilege	3876	TRwrC.exe

C:\Users\Admin\AppData\Local\Temp\TRwrC.exe
"C:\Users\Admin\AppData\Local\Temp\TRwrC.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3876-114-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download