nanocore | bd5006ba4e4cfcf8a8b0b6da5bb30f4dd8a78beb351b814431ae8599dcf23f1b

Analysis

max time kernel
135s
max time network
147s
platform
windows7_x64
resource
win7-en-20211208
submitted
17-12-2021 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

3.1MB
MD5

54fccf779c1611fe486a5c232f32f4d2
SHA1

9edd5d86fbb0236625c1c533e85d2fe76901979f
SHA256

bd5006ba4e4cfcf8a8b0b6da5bb30f4dd8a78beb351b814431ae8599dcf23f1b
SHA512

21e2eedfb70bc97807c2c5327efe246aa24cd2ed0890dee0e1ad9de487311684047c6dd3083a3bc4083288627f2e1797a319e9a9517a5aed7b95258a5302916d

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Monitor = "C:\\Program Files (x86)\\SAAS Monitor\\saasmon.exe"	a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

a.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

a.exe

pid process

1636 a.exe
Drops file in Program Files directory 1 IoCs

Processes:

a.exe

description ioc process

File created C:\Program Files (x86)\SAAS Monitor\saasmon.exe a.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a.exe

pid process

1636 a.exe
1636 a.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a.exe

pid process

1636 a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a.exe

description pid process

Token: SeDebugPrivilege 1636 a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a.exe

pid	process
1636	a.exe

description	ioc	process
File created	C:\Program Files (x86)\SAAS Monitor\saasmon.exe	a.exe

pid	process
1636	a.exe
1636	a.exe

pid	process
1636	a.exe

description	pid	process
Token: SeDebugPrivilege	1636	a.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-53-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1636-56-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download