nanocore | f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8

General

Target

767E1C497FF0D617DE66C2D8ECE44C49.exe
Size

203KB
MD5

767e1c497ff0d617de66c2d8ece44c49
SHA1

118e1e764cd05b98c631bb9a5687acae94f208e1
SHA256

f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8
SHA512

f24acf37c91c0fbfb02c17566d5b9d3ff548bd414d11f343ab56b4105d257721fc54c57254d3078ae30d4ec54d403eb5af3e50a648b4b1f8c579d745f50b492c

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe"	767E1C497FF0D617DE66C2D8ECE44C49.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	767E1C497FF0D617DE66C2D8ECE44C49.exe

Drops file in Program Files directory 2 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Host\lanhost.exe	767E1C497FF0D617DE66C2D8ECE44C49.exe
File opened for modification	C:\Program Files (x86)\LAN Host\lanhost.exe	767E1C497FF0D617DE66C2D8ECE44C49.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1792 schtasks.exe
1756 schtasks.exe

pid	process
1792	schtasks.exe
1756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

pid	process
1104	767E1C497FF0D617DE66C2D8ECE44C49.exe
1104	767E1C497FF0D617DE66C2D8ECE44C49.exe
1104	767E1C497FF0D617DE66C2D8ECE44C49.exe
1104	767E1C497FF0D617DE66C2D8ECE44C49.exe
1104	767E1C497FF0D617DE66C2D8ECE44C49.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

pid process

1104 767E1C497FF0D617DE66C2D8ECE44C49.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description pid process

Token: SeDebugPrivilege 1104 767E1C497FF0D617DE66C2D8ECE44C49.exe

description	pid	process
Token: SeDebugPrivilege	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	pid	process	target process
PID 1104 wrote to memory of 1792	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 1104 wrote to memory of 1792	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 1104 wrote to memory of 1792	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 1104 wrote to memory of 1792	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 1104 wrote to memory of 1756	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 1104 wrote to memory of 1756	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 1104 wrote to memory of 1756	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 1104 wrote to memory of 1756	1104	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\767E1C497FF0D617DE66C2D8ECE44C49.exe
"C:\Users\Admin\AppData\Local\Temp\767E1C497FF0D617DE66C2D8ECE44C49.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAB5C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1792
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAC95.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB5C.tmp

MD5
67804f816e379fb05d068938dfa88076

SHA1
9f7d749bb4e76adccd4720a80513df2cf459ad2f

SHA256
6a460eaaabdb9c64cc3f9f19ea8d135e4f44ba4f5cd0da36dbad5e8a68d96136

SHA512
0b57be2044357e2be038a7d7790a9330e87f3ec5e12df39852e72390548930545e8b4092333489253044176959a88f8ab3f86eb5b576daab89fadadd58907bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC95.tmp

MD5
54865f98871478b2b88b7f8aa6100915

SHA1
6f8667f1ce25cebee2a7b460668736ff6bcfac54

SHA256
287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e

SHA512
caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493

Download Submit
memory/1104-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1104-60-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1104-65-0x0000000000611000-0x0000000000612000-memory.dmp

Filesize
4KB

Download
memory/1756-63-0x0000000000000000-mapping.dmp

Download
memory/1792-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads