nanocore | f7677db1078c998f8b24486fc49f52cc7be0cfa707e70f7b05fe3c7e49d4a1ad

General

Target

Scan Copy$$.scr
Size

1.1MB
MD5

7abe31b58ea898b5f25c33d9572d70ca
SHA1

a6be14ddb35a3d13d826bcc5833836b5ef4c8e4a
SHA256

01dbae054610259b1b33585a88a042e8762ec1c5a239c9fd0f821dc240235c16
SHA512

bf56d9321467b93011258753e3fd976755e2f4a1e81a95a4b1fcdf3eff45a7e1a70d58049d6a9da2d00dc6a9c7536eaebe4a680f72f8a351b3456f246cf99110

Score

10^/10

nanocore evasion keylogger spyware stealer suricata trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\pcaui\bdeunlock.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Scan Copy$$.scr

description pid process target process

PID 1752 set thread context of 1552 1752 Scan Copy$$.scr RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1752 set thread context of 1552	1752	Scan Copy$$.scr	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

Scan Copy$$.scrRegAsm.exe

pid	process
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1552	RegAsm.exe
1552	RegAsm.exe
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr
1752	Scan Copy$$.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1552 RegAsm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Scan Copy$$.scr

pid process

1752 Scan Copy$$.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1552 RegAsm.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Scan Copy$$.scr

pid process

1752 Scan Copy$$.scr
1752 Scan Copy$$.scr
1752 Scan Copy$$.scr
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Scan Copy$$.scr

pid process

1752 Scan Copy$$.scr
1752 Scan Copy$$.scr
1752 Scan Copy$$.scr

pid	process
1552	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1552	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Scan Copy$$.scr

description	pid	process	target process
PID 1752 wrote to memory of 2032	1752	Scan Copy$$.scr	cmd.exe
PID 1752 wrote to memory of 2032	1752	Scan Copy$$.scr	cmd.exe
PID 1752 wrote to memory of 2032	1752	Scan Copy$$.scr	cmd.exe
PID 1752 wrote to memory of 2032	1752	Scan Copy$$.scr	cmd.exe
PID 1752 wrote to memory of 1552	1752	Scan Copy$$.scr	RegAsm.exe
PID 1752 wrote to memory of 1552	1752	Scan Copy$$.scr	RegAsm.exe
PID 1752 wrote to memory of 1552	1752	Scan Copy$$.scr	RegAsm.exe
PID 1752 wrote to memory of 1552	1752	Scan Copy$$.scr	RegAsm.exe
PID 1752 wrote to memory of 1552	1752	Scan Copy$$.scr	RegAsm.exe
PID 1752 wrote to memory of 1552	1752	Scan Copy$$.scr	RegAsm.exe
PID 1752 wrote to memory of 1552	1752	Scan Copy$$.scr	RegAsm.exe
PID 1752 wrote to memory of 1552	1752	Scan Copy$$.scr	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr
"C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr" "C:\Users\Admin\AppData\Roaming\pcaui\bdeunlock.exe"
2⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\pcaui\bdeunlock.exe
Filesize
1.1MB

MD5
3b41fc6b7655fec3be0be0f493c5870b

SHA1
855555b7ac79f6cddc2fc1e04efa984643244c4a

SHA256
e4f7964893da20ebe76a30128cc08a33fc67b670b0de5fc017d45822fccad856

SHA512
a509e1bf2bbdbfd7bc08be3f79d675ccab1f1831b7a075b7e2128d2fa5d2115a04844b6efa69385cbd7d28bb055be84245c8320e50a5d3fbeb90b2cd385f3e58

Download Submit
memory/1552-57-0x000000000041E792-mapping.dmp

Download
memory/1552-60-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-61-0x00000000004E6000-0x00000000004F7000-memory.dmp

Filesize
68KB

Download
memory/1552-63-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-54-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download
memory/1752-59-0x00000000005D0000-0x00000000005D3000-memory.dmp

Filesize
12KB

Download
memory/1752-62-0x00000000005D0000-0x00000000005D3000-memory.dmp

Filesize
12KB

Download
memory/2032-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads