nanocore | a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d

General

Target

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
Size

1.3MB
MD5

c1b3f1fb965bb78b4f20a0468b1faf1a
SHA1

f6db4503c82309d2b06781ab28c3ff335d3d7c97
SHA256

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d
SHA512

58cb1056e425ef16d2ba90b55f9c67435e7e4bb1b108378d00fb9e76fce1cb41bb5bb512654cff51176ba07b60dcaa3beacd10891e7fd3d855f5d5def53a6917

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe"	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exea1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid	process
4772	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	pid	process	target process
PID 4772 set thread context of 1348	4772	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Drops file in Program Files directory 2 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Host\arphost.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
File opened for modification	C:\Program Files (x86)\ARP Host\arphost.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4564 schtasks.exe
3396 schtasks.exe

pid	process
4564	schtasks.exe
3396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid	process
1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid process

1348 a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description pid process

Token: SeDebugPrivilege 1348 a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

pid process

4772 a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	pid	process
Token: SeDebugPrivilege	1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exea1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe

description	pid	process	target process
PID 4772 wrote to memory of 1348	4772	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
PID 4772 wrote to memory of 1348	4772	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
PID 4772 wrote to memory of 1348	4772	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
PID 1348 wrote to memory of 4564	1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 1348 wrote to memory of 4564	1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 1348 wrote to memory of 4564	1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 1348 wrote to memory of 3396	1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 1348 wrote to memory of 3396	1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe
PID 1348 wrote to memory of 3396	1348	a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
"C:\Users\Admin\AppData\Local\Temp\a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe
"C:\Users\Admin\AppData\Local\Temp\a1a3a5aac5afc7f0891dfc47b4d5758abfb92d5f49fb286484a558e3aea9616d.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAA8D.tmp"
3⤵
- Creates scheduled task(s)
PID:4564

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpABC6.tmp"
3⤵
- Creates scheduled task(s)
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAA8D.tmp
Filesize
1KB

MD5
37b82c29d90d3fb00a378955f650eb9e

SHA1
97f59bdd24acd0eca07bc2f7cc15822e9605bc68

SHA256
8e08b5d469d47195d4c2c7aa3a79de0bf9f6f182a67ca12d5608aca354f987d3

SHA512
c9c740aabd9a09cafbf1093f33be5fe1291a61609b9a7688c07f7edb4c9f4dc02064afe7c41b2cde3756e40ebadd3df115e5366205ecd22366dd984d8312f5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpABC6.tmp
Filesize
1KB

MD5
447ab194ab36cb1d20078d80e502b1b2

SHA1
a947b3b2c91d7c50bb8d39bd4fc91a0d0cc5b1c0

SHA256
8d5304b20b7d7dea223ce2738e5668054250d57bf6bed86b305b69924bd472f5

SHA512
49ddc557f7f6635627eea9bf0fa12a14b7b13edb235ed560ee0044a7f87fe27b686ff878d347d0273d92eb0b318b8c2bca85c0fbf42d586ed7d7da39eac6a327

Download Submit
memory/1348-140-0x00007FFD9A030000-0x00007FFD9A225000-memory.dmp

Filesize
2.0MB

Download
memory/1348-147-0x00000000005A0000-0x00000000005AF000-memory.dmp

Filesize
60KB

Download
memory/1348-150-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/1348-149-0x0000000077870000-0x0000000077A13000-memory.dmp

Filesize
1.6MB

Download
memory/1348-138-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1348-139-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1348-148-0x00007FFD9A030000-0x00007FFD9A225000-memory.dmp

Filesize
2.0MB

Download
memory/1348-141-0x0000000077870000-0x0000000077A13000-memory.dmp

Filesize
1.6MB

Download
memory/1348-142-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/1348-135-0x0000000000000000-mapping.dmp

Download
memory/3396-145-0x0000000000000000-mapping.dmp

Download
memory/4564-143-0x0000000000000000-mapping.dmp

Download
memory/4772-134-0x0000000077870000-0x0000000077A13000-memory.dmp

Filesize
1.6MB

Download
memory/4772-133-0x00007FFD9A030000-0x00007FFD9A225000-memory.dmp

Filesize
2.0MB

Download
memory/4772-132-0x0000000002BC0000-0x0000000002BCF000-memory.dmp

Filesize
60KB

Download
memory/4772-137-0x0000000077870000-0x0000000077A13000-memory.dmp

Filesize
1.6MB

Download
memory/4772-136-0x0000000002BC0000-0x0000000002BCF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads