nanocore | a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d

General

Target

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
Size

1.3MB
MD5

c1b3f1fb965bb78b4f20a0468b1faf1a
SHA1

f6db4503c82309d2b06781ab28c3ff335d3d7c97
SHA256

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d
SHA512

58cb1056e425ef16d2ba90b55f9c67435e7e4bb1b108378d00fb9e76fce1cb41bb5bb512654cff51176ba07b60dcaa3beacd10891e7fd3d855f5d5def53a6917

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Monitor = "C:\\Program Files (x86)\\ARP Monitor\\arpmon.exe"	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exea1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid	process
1252	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	pid	process	target process
PID 1252 set thread context of 968	1252	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Drops file in Program Files directory 2 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Monitor\arpmon.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
File opened for modification	C:\Program Files (x86)\ARP Monitor\arpmon.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2028 schtasks.exe
1584 schtasks.exe

pid	process
2028	schtasks.exe
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid	process
968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid process

968 a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description pid process

Token: SeDebugPrivilege 968 a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid process

1252 a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid process

968 a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	pid	process
Token: SeDebugPrivilege	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exea1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	pid	process	target process
PID 1252 wrote to memory of 968	1252	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
PID 1252 wrote to memory of 968	1252	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
PID 1252 wrote to memory of 968	1252	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
PID 1252 wrote to memory of 968	1252	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
PID 968 wrote to memory of 2028	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 968 wrote to memory of 2028	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 968 wrote to memory of 2028	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 968 wrote to memory of 2028	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 968 wrote to memory of 1584	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 968 wrote to memory of 1584	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 968 wrote to memory of 1584	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 968 wrote to memory of 1584	968	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
"C:\Users\Admin\AppData\Local\Temp\a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
"C:\Users\Admin\AppData\Local\Temp\a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp391B.tmp"
3⤵
- Creates scheduled task(s)
PID:2028

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3B3E.tmp"
3⤵
- Creates scheduled task(s)
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp391B.tmp
Filesize
1KB

MD5
37b82c29d90d3fb00a378955f650eb9e

SHA1
97f59bdd24acd0eca07bc2f7cc15822e9605bc68

SHA256
8e08b5d469d47195d4c2c7aa3a79de0bf9f6f182a67ca12d5608aca354f987d3

SHA512
c9c740aabd9a09cafbf1093f33be5fe1291a61609b9a7688c07f7edb4c9f4dc02064afe7c41b2cde3756e40ebadd3df115e5366205ecd22366dd984d8312f5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B3E.tmp
Filesize
1KB

MD5
acc7d7829edec6af26aa18f8ca7776ef

SHA1
29f5290d08127f29924a2eb189e21b9bcfbb6f3a

SHA256
2165ad57e4cd29e911a2861e1fe6366ce11912c95f8e5ede61d247b75753001a

SHA512
07e84e0f7eb030dc0f2efde201c023051a2559dbdcde957fea73669a6e2deac9848cf3503e4e7f9524660d61ead850632bb998f12b73b887dfe841286002bc5b

Download Submit
memory/968-67-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/968-74-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/968-61-0x00000000005285B8-mapping.dmp

Download
memory/968-66-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/968-75-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/968-70-0x0000000077110000-0x00000000772B9000-memory.dmp

Filesize
1.7MB

Download
memory/968-72-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-62-0x0000000001E10000-0x0000000001E1F000-memory.dmp

Filesize
60KB

Download
memory/1252-63-0x00000000772F0000-0x0000000077470000-memory.dmp

Filesize
1.5MB

Download
memory/1252-56-0x0000000001E10000-0x0000000001E1F000-memory.dmp

Filesize
60KB

Download
memory/1252-59-0x0000000077110000-0x00000000772B9000-memory.dmp

Filesize
1.7MB

Download
memory/1252-60-0x00000000772F0000-0x0000000077470000-memory.dmp

Filesize
1.5MB

Download
memory/1252-57-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1584-71-0x0000000000000000-mapping.dmp

Download
memory/2028-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads