nanocore | e564c250cd0780ed1870506da94c0cb34240c41f361a9bee13db815e4e58b266

General

Target

9333b848ec502f882c35f7d865aec7d6.exe
Size

203KB
MD5

9333b848ec502f882c35f7d865aec7d6
SHA1

c56c21e6918f2efd0050552ac8fb831c8ed6da3a
SHA256

e564c250cd0780ed1870506da94c0cb34240c41f361a9bee13db815e4e58b266
SHA512

ecddf6b594e314c172de120be87ebfdb8c75db956265df01df3c459a91abd50eda4b17a82359917c556ef84076579c8dea20f35b8343916f8eb489c23107cb83

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9333b848ec502f882c35f7d865aec7d6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	9333b848ec502f882c35f7d865aec7d6.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9333b848ec502f882c35f7d865aec7d6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9333b848ec502f882c35f7d865aec7d6.exe

Drops file in Program Files directory 2 IoCs

Processes:

9333b848ec502f882c35f7d865aec7d6.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	9333b848ec502f882c35f7d865aec7d6.exe
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	9333b848ec502f882c35f7d865aec7d6.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1536 schtasks.exe
1308 schtasks.exe

pid	process
1536	schtasks.exe
1308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9333b848ec502f882c35f7d865aec7d6.exe

pid	process
1212	9333b848ec502f882c35f7d865aec7d6.exe
1212	9333b848ec502f882c35f7d865aec7d6.exe
1212	9333b848ec502f882c35f7d865aec7d6.exe
1212	9333b848ec502f882c35f7d865aec7d6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9333b848ec502f882c35f7d865aec7d6.exe

pid process

1212 9333b848ec502f882c35f7d865aec7d6.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9333b848ec502f882c35f7d865aec7d6.exe

description pid process

Token: SeDebugPrivilege 1212 9333b848ec502f882c35f7d865aec7d6.exe
Token: SeDebugPrivilege 1212 9333b848ec502f882c35f7d865aec7d6.exe

description	pid	process
Token: SeDebugPrivilege	1212	9333b848ec502f882c35f7d865aec7d6.exe
Token: SeDebugPrivilege	1212	9333b848ec502f882c35f7d865aec7d6.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9333b848ec502f882c35f7d865aec7d6.exe

description	pid	process	target process
PID 1212 wrote to memory of 1308	1212	9333b848ec502f882c35f7d865aec7d6.exe	schtasks.exe
PID 1212 wrote to memory of 1308	1212	9333b848ec502f882c35f7d865aec7d6.exe	schtasks.exe
PID 1212 wrote to memory of 1308	1212	9333b848ec502f882c35f7d865aec7d6.exe	schtasks.exe
PID 1212 wrote to memory of 1308	1212	9333b848ec502f882c35f7d865aec7d6.exe	schtasks.exe
PID 1212 wrote to memory of 1536	1212	9333b848ec502f882c35f7d865aec7d6.exe	schtasks.exe
PID 1212 wrote to memory of 1536	1212	9333b848ec502f882c35f7d865aec7d6.exe	schtasks.exe
PID 1212 wrote to memory of 1536	1212	9333b848ec502f882c35f7d865aec7d6.exe	schtasks.exe
PID 1212 wrote to memory of 1536	1212	9333b848ec502f882c35f7d865aec7d6.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9333b848ec502f882c35f7d865aec7d6.exe
"C:\Users\Admin\AppData\Local\Temp\9333b848ec502f882c35f7d865aec7d6.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD920.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1308
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF1A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD920.tmp

MD5
b0cb4af4c8cf245cd530c7b2fd8bdca4

SHA1
26c317a94922b1d288c5e3a1df664724a52d65ae

SHA256
6501603e603b4fcb10a7cef4670b6ffb76d228f368bcc4e395dd0bf3abe0f16b

SHA512
e2334f3bc69bcb8583ffd60f36a7c2ba05c57dbe54ab9c37ace6b2a5f81ceee69454522a42c8ebb242714ea992a33ff64b28d0cdf5a47cd54e150a85cb075a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF1A.tmp

MD5
c4aecdef99eba873119e79616df3f4b0

SHA1
b1b3af52655fb633eed909dfed05b64fbbfac37c

SHA256
24fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b

SHA512
e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4

Download Submit
memory/1212-54-0x0000000075331000-0x0000000075333000-memory.dmp

Filesize
8KB

Download
memory/1212-55-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1308-56-0x0000000000000000-mapping.dmp

Download
memory/1536-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads