nanocore | 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be

General

Target

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
Size

484KB
MD5

124d636100ebd7a0150b180a54536108
SHA1

1961e8a42971d2d40226f9c5bc405e81430d10b0
SHA256

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be
SHA512

b55d5380f4d02881838591a15047a42c8da784faf78a0f0aa592d7c9be6aa240bd0c30fc606c018ccec645afdbd05958a0e3e3fc2aebe2edbd7a4b96ce12194f

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe"	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

description	pid	process	target process
PID 532 set thread context of 912	532	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

Drops file in Program Files directory 2 IoCs

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\ARP Service\arpsvc.exe	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
File created	C:\Program Files (x86)\ARP Service\arpsvc.exe	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

pid	process
912	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
912	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

pid process

912 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

description pid process

Token: SeDebugPrivilege 912 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

pid process

532 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

pid process

912 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

description	pid	process
Token: SeDebugPrivilege	912	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

pid	process
532	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

description	pid	process	target process
PID 532 wrote to memory of 912	532	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
PID 532 wrote to memory of 912	532	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
PID 532 wrote to memory of 912	532	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
PID 532 wrote to memory of 912	532	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe	3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe

C:\Users\Admin\AppData\Local\Temp\3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
"C:\Users\Admin\AppData\Local\Temp\3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
C:\Users\Admin\AppData\Local\Temp\3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-59-0x0000000077040000-0x00000000771C0000-memory.dmp

Filesize
1.5MB

Download
memory/532-57-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/532-56-0x00000000002C0000-0x00000000002C7000-memory.dmp

Filesize
28KB

Download
memory/912-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/912-60-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/912-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/912-58-0x000000000046CCCE-mapping.dmp

Download
memory/912-64-0x0000000077040000-0x00000000771C0000-memory.dmp

Filesize
1.5MB

Download
memory/912-65-0x0000000077040000-0x00000000771C0000-memory.dmp

Filesize
1.5MB

Download
memory/912-66-0x0000000008870000-0x0000000009368000-memory.dmp

Filesize
11.0MB

Download
memory/912-67-0x0000000009370000-0x00000000094F8000-memory.dmp

Filesize
1.5MB

Download
memory/912-68-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/912-69-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads