nanocore | b6ea32ceff8498b3f93e82045668703deef3f24f6939739eb83f64d05b87fc96

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2022 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d2d1f56f6404cdcb2afe3a582f6f092.exe
Size

203KB
MD5

0d2d1f56f6404cdcb2afe3a582f6f092
SHA1

91e7f7e469182e4e283ce8b92d1b2db7bc23dbc6
SHA256

b6ea32ceff8498b3f93e82045668703deef3f24f6939739eb83f64d05b87fc96
SHA512

cbbcb82c5c81a1c72d4d7ad10041c4489dd72efe24bc37a271c21f68195d9789c81e2c8cea5819ab7491ec3c3664ced35e9d34812612be6fdcf7c662ebfd692f
SSDEEP

3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI25PAGTwjgaxODOeSQcY/UShKR:sLV6Bta6dtJmakIM5dr8PxtPY/1KR

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0d2d1f56f6404cdcb2afe3a582f6f092.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe"	0d2d1f56f6404cdcb2afe3a582f6f092.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0d2d1f56f6404cdcb2afe3a582f6f092.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0d2d1f56f6404cdcb2afe3a582f6f092.exe

Drops file in Program Files directory 2 IoCs

Processes:

0d2d1f56f6404cdcb2afe3a582f6f092.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Manager\ddpmgr.exe	0d2d1f56f6404cdcb2afe3a582f6f092.exe
File opened for modification	C:\Program Files (x86)\DDP Manager\ddpmgr.exe	0d2d1f56f6404cdcb2afe3a582f6f092.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2324 schtasks.exe
3700 schtasks.exe

pid	process
2324	schtasks.exe
3700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

0d2d1f56f6404cdcb2afe3a582f6f092.exe

pid	process
1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe
1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe
1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe
1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe
1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe
1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0d2d1f56f6404cdcb2afe3a582f6f092.exe

pid process

1320 0d2d1f56f6404cdcb2afe3a582f6f092.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0d2d1f56f6404cdcb2afe3a582f6f092.exe

description pid process

Token: SeDebugPrivilege 1320 0d2d1f56f6404cdcb2afe3a582f6f092.exe

description	pid	process
Token: SeDebugPrivilege	1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0d2d1f56f6404cdcb2afe3a582f6f092.exe

description	pid	process	target process
PID 1320 wrote to memory of 3700	1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe	schtasks.exe
PID 1320 wrote to memory of 3700	1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe	schtasks.exe
PID 1320 wrote to memory of 3700	1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe	schtasks.exe
PID 1320 wrote to memory of 2324	1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe	schtasks.exe
PID 1320 wrote to memory of 2324	1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe	schtasks.exe
PID 1320 wrote to memory of 2324	1320	0d2d1f56f6404cdcb2afe3a582f6f092.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0d2d1f56f6404cdcb2afe3a582f6f092.exe
"C:\Users\Admin\AppData\Local\Temp\0d2d1f56f6404cdcb2afe3a582f6f092.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE68C.tmp"
2⤵
- Creates scheduled task(s)
PID:3700

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp"
2⤵
- Creates scheduled task(s)
PID:2324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE68C.tmp

Filesize
1KB

MD5
5d13bb83dfeb58d89417d2208d1400e5

SHA1
6af9c797e6cf547a18be96b80bfa2bb4324f7ae1

SHA256
480fb01e65d200e8506b6219f3cc8645e0d4db10946c55ab1c6b694aab5626eb

SHA512
169d8e3a0f97422e89f6587912ad2cc149261b00f0416b3435c193e8e277bf0325e38157cc26e7de355acfe9f01c4a342884e1848d1a21e38175ab93c5a24955

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp

Filesize
1KB

MD5
677848190631e19222304d1982aa2e1b

SHA1
bed6cf97d3458e4ea59ff9823375d915a9b3d682

SHA256
8bcf16c788d228932fa707bb4250c05151e099bdf7040adc717e53680601be3d

SHA512
f5d41e150011bc63f4c95799e21fe91ffaa25eb05f4ca46ea89f3a3ca5325413ba4e0b7b5d69c0bc189955f3308c4928016a7cc1d6f7c2352639106952e92b1e

Download Submit
memory/1320-132-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1320-137-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/2324-135-0x0000000000000000-mapping.dmp

Download
memory/3700-133-0x0000000000000000-mapping.dmp

Download