nanocore | f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8

General

Target

767E1C497FF0D617DE66C2D8ECE44C49.exe
Size

203KB
MD5

767e1c497ff0d617de66c2d8ece44c49
SHA1

118e1e764cd05b98c631bb9a5687acae94f208e1
SHA256

f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8
SHA512

f24acf37c91c0fbfb02c17566d5b9d3ff548bd414d11f343ab56b4105d257721fc54c57254d3078ae30d4ec54d403eb5af3e50a648b4b1f8c579d745f50b492c

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Subsystem = "C:\\Program Files (x86)\\UPNP Subsystem\\upnpss.exe"	767E1C497FF0D617DE66C2D8ECE44C49.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	767E1C497FF0D617DE66C2D8ECE44C49.exe

Drops file in Program Files directory 2 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	ioc	process
File created	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	767E1C497FF0D617DE66C2D8ECE44C49.exe
File opened for modification	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	767E1C497FF0D617DE66C2D8ECE44C49.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3056 schtasks.exe
4004 schtasks.exe

pid	process
3056	schtasks.exe
4004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

pid	process
4044	767E1C497FF0D617DE66C2D8ECE44C49.exe
4044	767E1C497FF0D617DE66C2D8ECE44C49.exe
4044	767E1C497FF0D617DE66C2D8ECE44C49.exe
4044	767E1C497FF0D617DE66C2D8ECE44C49.exe
4044	767E1C497FF0D617DE66C2D8ECE44C49.exe
4044	767E1C497FF0D617DE66C2D8ECE44C49.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

pid process

4044 767E1C497FF0D617DE66C2D8ECE44C49.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description pid process

Token: SeDebugPrivilege 4044 767E1C497FF0D617DE66C2D8ECE44C49.exe

description	pid	process
Token: SeDebugPrivilege	4044	767E1C497FF0D617DE66C2D8ECE44C49.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

767E1C497FF0D617DE66C2D8ECE44C49.exe

description	pid	process	target process
PID 4044 wrote to memory of 3056	4044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 4044 wrote to memory of 3056	4044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 4044 wrote to memory of 3056	4044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 4044 wrote to memory of 4004	4044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 4044 wrote to memory of 4004	4044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe
PID 4044 wrote to memory of 4004	4044	767E1C497FF0D617DE66C2D8ECE44C49.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\767E1C497FF0D617DE66C2D8ECE44C49.exe
"C:\Users\Admin\AppData\Local\Temp\767E1C497FF0D617DE66C2D8ECE44C49.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "UPNP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp72D4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3056
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "UPNP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7556.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp72D4.tmp

MD5
67804f816e379fb05d068938dfa88076

SHA1
9f7d749bb4e76adccd4720a80513df2cf459ad2f

SHA256
6a460eaaabdb9c64cc3f9f19ea8d135e4f44ba4f5cd0da36dbad5e8a68d96136

SHA512
0b57be2044357e2be038a7d7790a9330e87f3ec5e12df39852e72390548930545e8b4092333489253044176959a88f8ab3f86eb5b576daab89fadadd58907bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7556.tmp

MD5
af9986f5e128fd8bd3ae748fcba6576d

SHA1
8060072c35108b48649a03be91803b97f1ad40a4

SHA256
f3242f6480b3d1a8f9285135fdce9a201c4802ce062eee4fb41c488a21d53303

SHA512
f35c8e1699905bc972ae48a5a4a9fd33ea04b2d851ffc1cb1d1573a2087121d803b4186a696b2edad10a9c46c388a478e105f5a730020b598aa9f483086dba38

Download Submit
memory/3056-115-0x0000000000000000-mapping.dmp

Download
memory/4004-117-0x0000000000000000-mapping.dmp

Download
memory/4044-114-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads