nanocore | 58aada0d5de39b81202650fe071a402364d57aeb78a46965df3ec5de87c7329d

General

Target

roblox.exe
Size

203KB
MD5

2d6a5a095c30df3f1d839f37adaee688
SHA1

3b57997f55113d907f7acca912906d26e2b1652b
SHA256

58aada0d5de39b81202650fe071a402364d57aeb78a46965df3ec5de87c7329d
SHA512

eaf2e77d33e15a1c26993432dd3d48e5438af00edfdf5384cbc4bc0e4c210fdde05f6698e84e32fbf363d4a23ffac89ac0a7d5fda973656ce55a272d379dacf3

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

roblox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe"	roblox.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

roblox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA roblox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	roblox.exe

Drops file in Program Files directory 2 IoCs

Processes:

roblox.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LAN Host\lanhost.exe	roblox.exe
File created	C:\Program Files (x86)\LAN Host\lanhost.exe	roblox.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1268 schtasks.exe
1280 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

roblox.exe

pid process

1052 roblox.exe
1052 roblox.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

roblox.exe

pid process

1052 roblox.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

roblox.exe

description pid process

Token: SeDebugPrivilege 1052 roblox.exe

pid	process
1268	schtasks.exe
1280	schtasks.exe

pid	process
1052	roblox.exe
1052	roblox.exe

pid	process
1052	roblox.exe

description	pid	process
Token: SeDebugPrivilege	1052	roblox.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

roblox.exe

description	pid	process	target process
PID 1052 wrote to memory of 1268	1052	roblox.exe	schtasks.exe
PID 1052 wrote to memory of 1268	1052	roblox.exe	schtasks.exe
PID 1052 wrote to memory of 1268	1052	roblox.exe	schtasks.exe
PID 1052 wrote to memory of 1268	1052	roblox.exe	schtasks.exe
PID 1052 wrote to memory of 1280	1052	roblox.exe	schtasks.exe
PID 1052 wrote to memory of 1280	1052	roblox.exe	schtasks.exe
PID 1052 wrote to memory of 1280	1052	roblox.exe	schtasks.exe
PID 1052 wrote to memory of 1280	1052	roblox.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\roblox.exe
"C:\Users\Admin\AppData\Local\Temp\roblox.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp722.tmp"
2⤵
- Creates scheduled task(s)
PID:1268

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp86B.tmp"
2⤵
- Creates scheduled task(s)
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp722.tmp
MD5
1101ff7971e1d1658cd78d587c907ffc

SHA1
2ade06b60b73b056ef2811862cde447c0a1a8a9d

SHA256
3708ee1da7936c01f157ed32b66d2778157fb77e79079fa69c97ceac1c992b50

SHA512
a3709f7bf279567425cf2da776f36006c27c172932d85e060dfebc0ee31664b39691611989d6a98694397ece44c8c2697fa615914fb3206013c9a77e72c8a5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp86B.tmp
MD5
54865f98871478b2b88b7f8aa6100915

SHA1
6f8667f1ce25cebee2a7b460668736ff6bcfac54

SHA256
287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e

SHA512
caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493

Download Submit
memory/1052-60-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1052-61-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1268-62-0x0000000000000000-mapping.dmp

Download
memory/1280-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads