nanocore | 1a3e3f202267a54aa75ec2f157f5762412f21b8d9fa375e2ccf46149e3775770

Analysis

max time kernel
76s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000b000000012308-58.exe
Size

203KB
MD5

76658348d014ff1282ee9e9cd178da1c
SHA1

b4eeb8debd8a52f5c9d889363ab6205349b39de9
SHA256

1a3e3f202267a54aa75ec2f157f5762412f21b8d9fa375e2ccf46149e3775770
SHA512

42fd035c8b6719545580e893286d0a3cb6626874e45a945b52a2c06522d9539e0ab9292c417e047198f5e2814ca6b8290205390613f42015e383fa7c2af1f305
SSDEEP

6144:sLV6Bta6dtJmakIM53s7UBmOKqVotp/wK32i:sLV6Btpmk5QmGuAK32i

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0x000b000000012308-58.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Host = "C:\\Program Files (x86)\\DOS Host\\doshost.exe"	0x000b000000012308-58.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

0x000b000000012308-58.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0x000b000000012308-58.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0x000b000000012308-58.exe

Drops file in Program Files directory 2 IoCs

Processes:

0x000b000000012308-58.exe

description	ioc	process
File created	C:\Program Files (x86)\DOS Host\doshost.exe	0x000b000000012308-58.exe
File opened for modification	C:\Program Files (x86)\DOS Host\doshost.exe	0x000b000000012308-58.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5036 schtasks.exe
4388 schtasks.exe

pid	process
5036	schtasks.exe
4388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

0x000b000000012308-58.exe

pid	process
2060	0x000b000000012308-58.exe
2060	0x000b000000012308-58.exe
2060	0x000b000000012308-58.exe
2060	0x000b000000012308-58.exe
2060	0x000b000000012308-58.exe
2060	0x000b000000012308-58.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0x000b000000012308-58.exe

pid process

2060 0x000b000000012308-58.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0x000b000000012308-58.exe

description pid process

Token: SeDebugPrivilege 2060 0x000b000000012308-58.exe

description	pid	process
Token: SeDebugPrivilege	2060	0x000b000000012308-58.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0x000b000000012308-58.exe

description	pid	process	target process
PID 2060 wrote to memory of 5036	2060	0x000b000000012308-58.exe	schtasks.exe
PID 2060 wrote to memory of 5036	2060	0x000b000000012308-58.exe	schtasks.exe
PID 2060 wrote to memory of 5036	2060	0x000b000000012308-58.exe	schtasks.exe
PID 2060 wrote to memory of 4388	2060	0x000b000000012308-58.exe	schtasks.exe
PID 2060 wrote to memory of 4388	2060	0x000b000000012308-58.exe	schtasks.exe
PID 2060 wrote to memory of 4388	2060	0x000b000000012308-58.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0x000b000000012308-58.exe
"C:\Users\Admin\AppData\Local\Temp\0x000b000000012308-58.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DOS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBE53.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:5036
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DOS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBFFA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBE53.tmp

Filesize
1KB

MD5
301c130220b9ab8929bf17cd413d65f5

SHA1
9993a9ca6abe78cf5401338ab1f26d580534b393

SHA256
80b67d67c487a97d9bb4961d4904d3e018b5d3285ca366f8a72518ccbacf381d

SHA512
f1b8366df98462295cdc51f2f3cef3d2ec78dc8486e0e4688d21cbae0ba6b4c1db1a381ae16cac823dd988ce9e178bd6873c80b87dca527a95f53beb1105de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFFA.tmp

Filesize
1KB

MD5
e380299eb53398115b7125b2b75c4798

SHA1
ee59b86ea0abf4097ff94bd940521c583803b036

SHA256
edb658b6577a80126eaacdf2a566755b63d7b2438fe0bcf3aea83930036811f3

SHA512
d9e3f3b1370fe4fce4a631a5d0669cef34bfe83dec146b606eff562c7cc450639304a732104f425a7ccfdded58064f28a98434a59ed8d93b595d64d1e1a2dde1

Download Submit
memory/2060-135-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/2060-140-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4388-138-0x0000000000000000-mapping.dmp

Download
memory/5036-136-0x0000000000000000-mapping.dmp

Download