nanocore | 8293f8ec81938cfd92083ba744826f3077846f3482777cc7c6ea46cfbd2fc73c

Analysis

max time kernel
90s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2022 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25ab25ebbc71a46070104c1d785b62ac.exe
Size

301KB
MD5

25ab25ebbc71a46070104c1d785b62ac
SHA1

6444155774547189adbc93ce13334ef8570910c2
SHA256

8293f8ec81938cfd92083ba744826f3077846f3482777cc7c6ea46cfbd2fc73c
SHA512

35dbdb10e46ecfce4a39f1e0131a0411fcf2f89473f47a00bca77047648f218b59aa89963d45462f99ddcefee6907d12408053313a7cdf642a38025a6f210a77
SSDEEP

6144:aLV6Bta6dtJmakIM5oZ0lGKhnz0mJ+zAapxe:aLV6BtpmkZZ0lGKhnz0AAzpxe

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

25ab25ebbc71a46070104c1d785b62ac.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe"	25ab25ebbc71a46070104c1d785b62ac.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

25ab25ebbc71a46070104c1d785b62ac.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25ab25ebbc71a46070104c1d785b62ac.exe

Drops file in Program Files directory 2 IoCs

Processes:

25ab25ebbc71a46070104c1d785b62ac.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\AGP Monitor\agpmon.exe	25ab25ebbc71a46070104c1d785b62ac.exe
File created	C:\Program Files (x86)\AGP Monitor\agpmon.exe	25ab25ebbc71a46070104c1d785b62ac.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2092 schtasks.exe
4372 schtasks.exe

pid	process
2092	schtasks.exe
4372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

25ab25ebbc71a46070104c1d785b62ac.exe

pid	process
2416	25ab25ebbc71a46070104c1d785b62ac.exe
2416	25ab25ebbc71a46070104c1d785b62ac.exe
2416	25ab25ebbc71a46070104c1d785b62ac.exe
2416	25ab25ebbc71a46070104c1d785b62ac.exe
2416	25ab25ebbc71a46070104c1d785b62ac.exe
2416	25ab25ebbc71a46070104c1d785b62ac.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

25ab25ebbc71a46070104c1d785b62ac.exe

pid process

2416 25ab25ebbc71a46070104c1d785b62ac.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

25ab25ebbc71a46070104c1d785b62ac.exe

description pid process

Token: SeDebugPrivilege 2416 25ab25ebbc71a46070104c1d785b62ac.exe
Token: SeDebugPrivilege 2416 25ab25ebbc71a46070104c1d785b62ac.exe

description	pid	process
Token: SeDebugPrivilege	2416	25ab25ebbc71a46070104c1d785b62ac.exe
Token: SeDebugPrivilege	2416	25ab25ebbc71a46070104c1d785b62ac.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

25ab25ebbc71a46070104c1d785b62ac.exe

description	pid	process	target process
PID 2416 wrote to memory of 2092	2416	25ab25ebbc71a46070104c1d785b62ac.exe	schtasks.exe
PID 2416 wrote to memory of 2092	2416	25ab25ebbc71a46070104c1d785b62ac.exe	schtasks.exe
PID 2416 wrote to memory of 2092	2416	25ab25ebbc71a46070104c1d785b62ac.exe	schtasks.exe
PID 2416 wrote to memory of 4372	2416	25ab25ebbc71a46070104c1d785b62ac.exe	schtasks.exe
PID 2416 wrote to memory of 4372	2416	25ab25ebbc71a46070104c1d785b62ac.exe	schtasks.exe
PID 2416 wrote to memory of 4372	2416	25ab25ebbc71a46070104c1d785b62ac.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\25ab25ebbc71a46070104c1d785b62ac.exe
"C:\Users\Admin\AppData\Local\Temp\25ab25ebbc71a46070104c1d785b62ac.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6BFD.tmp"
2⤵
- Creates scheduled task(s)
PID:2092

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6CC9.tmp"
2⤵
- Creates scheduled task(s)
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6BFD.tmp
Filesize
1KB

MD5
17fa6cd12662dd40c1dfa48f0c461c16

SHA1
c48a18b08ffcb22beb1821b317efdd5cea2fea6f

SHA256
179728606d634eff798ef12c4ab3a1d83a4943267435f7bbc39f3c4f64e1dc02

SHA512
fcbf46fb84103c518217ef1d92bfa1f6b60973fef83c9b894593caa41ccadde61946a81ed33f1a4de85f35f5a46007739607648b12d3a7dbe1a595b0b71d72ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CC9.tmp
Filesize
1KB

MD5
157cd55403665c49c9fd3ca1196c4397

SHA1
4feed6e606b41bb617274471349582963182756b

SHA256
49d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e

SHA512
bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8

Download Submit
memory/2092-133-0x0000000000000000-mapping.dmp

Download
memory/2416-132-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2416-137-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4372-135-0x0000000000000000-mapping.dmp

Download