nanocore | fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802

General

Target

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
Size

1.3MB
MD5

f41ac3c9d7cac6153c6687fe0b160dc9
SHA1

c7368bb2435f0dca25a39fe11ca1df1be9dbef6c
SHA256

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802
SHA512

40d7605ec4244a702893ed926b5e4eeef41052fa06ffd5c753bf06b03c171dcd6929a58d2336f47ac4b5def49221c811748f8b9962896ed900141ddda595bc8d

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Monitor = "C:\\Program Files (x86)\\ARP Monitor\\arpmon.exe"	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exefb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

pid	process
2004	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

description	pid	process	target process
PID 2004 set thread context of 996	2004	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

Drops file in Program Files directory 2 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Monitor\arpmon.exe	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
File opened for modification	C:\Program Files (x86)\ARP Monitor\arpmon.exe	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1172 schtasks.exe
2036 schtasks.exe

pid	process
1172	schtasks.exe
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

pid	process
996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

pid process

996 fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

description pid process

Token: SeDebugPrivilege 996 fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

pid process

2004 fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

pid process

996 fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

description	pid	process
Token: SeDebugPrivilege	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exefb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe

description	pid	process	target process
PID 2004 wrote to memory of 996	2004	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
PID 2004 wrote to memory of 996	2004	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
PID 2004 wrote to memory of 996	2004	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
PID 2004 wrote to memory of 996	2004	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
PID 996 wrote to memory of 1172	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	schtasks.exe
PID 996 wrote to memory of 1172	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	schtasks.exe
PID 996 wrote to memory of 1172	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	schtasks.exe
PID 996 wrote to memory of 1172	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	schtasks.exe
PID 996 wrote to memory of 2036	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	schtasks.exe
PID 996 wrote to memory of 2036	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	schtasks.exe
PID 996 wrote to memory of 2036	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	schtasks.exe
PID 996 wrote to memory of 2036	996	fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
"C:\Users\Admin\AppData\Local\Temp\fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe
"C:\Users\Admin\AppData\Local\Temp\fb54fb0923bdd2eab423511171594f00e111895a2569ff98079e264ba8ef5802.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3286.tmp"
3⤵
- Creates scheduled task(s)
PID:1172

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3610.tmp"
3⤵
- Creates scheduled task(s)
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3286.tmp
Filesize
1KB

MD5
77ae39d74633ba1cd28d5af6dfc9ae48

SHA1
a07a06e314d8da1e79389c8040b72eac1de1a147

SHA256
3a91e8698b1f3f1a58948608e660a9febe3533f9573d097a952386f7f87f95e1

SHA512
4d1d8a1bc29d78f98b419490bcc8d175fe6afd22f8c2d7573748b60e4926d36979d89171acb54bdbe7fb1e21c6b4dc6491c468bff32dcf662ee56894e98f3240

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3610.tmp
Filesize
1KB

MD5
acc7d7829edec6af26aa18f8ca7776ef

SHA1
29f5290d08127f29924a2eb189e21b9bcfbb6f3a

SHA256
2165ad57e4cd29e911a2861e1fe6366ce11912c95f8e5ede61d247b75753001a

SHA512
07e84e0f7eb030dc0f2efde201c023051a2559dbdcde957fea73669a6e2deac9848cf3503e4e7f9524660d61ead850632bb998f12b73b887dfe841286002bc5b

Download Submit
memory/996-67-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/996-73-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/996-78-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/996-77-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/996-61-0x00000000005173F9-mapping.dmp

Download
memory/996-66-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/996-75-0x0000000021690000-0x00000000216CC000-memory.dmp

Filesize
240KB

Download
memory/996-68-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Filesize
1.7MB

Download
memory/996-69-0x0000000077DF0000-0x0000000077F70000-memory.dmp

Filesize
1.5MB

Download
memory/1172-70-0x0000000000000000-mapping.dmp

Download
memory/2004-59-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Filesize
1.7MB

Download
memory/2004-60-0x0000000077DF0000-0x0000000077F70000-memory.dmp

Filesize
1.5MB

Download
memory/2004-57-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/2004-56-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2004-63-0x0000000077DF0000-0x0000000077F70000-memory.dmp

Filesize
1.5MB

Download
memory/2004-62-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2036-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads