Behavioral Report

General

Target

46f93ddbac62282be9a1c50c45fc47af.exe
Size

880KB
MD5

46f93ddbac62282be9a1c50c45fc47af
SHA1

fd33afba3b59b797a44916b55f5edc66b4550679
SHA256

4a006f30188cebe843f8f979bbb0bd3c1808bb8bc46f9e2dbbec566d1e0e9e6b
SHA512

89ea18de5c201acd10b0256733671ccdab52c9d9c7f0c6d0e635a2a08bffac95501b77739edeaa71a2b08d39b149661cc4cf268b67ee0edeb617caa84d7c6e5c
SSDEEP

12288:58eSvB7/el8Z5GW8mnMBtZIHEDmpuWqV1bCBW5twGw9/:5M1eOWt+kDOub1GBW5twt9/

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family	nanocore
Version	1.2.2.0
C2	rolandlandson149.bounceme.net:1007 127.0.0.1:1007 rolandlandson149.bounceme.net:1007 127.0.0.1:1007
Attributes	activate_away_mode true backup_connection_host 127.0.0.1 backup_dns_server 8.8.4.4 buffer_size 65535 build_time 2022-06-13T20:58:05.824762936Z bypass_user_account_control false bypass_user_account_control_data PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+ clear_access_control true clear_zone_identifier false connect_delay 4000 connection_port 1007 default_group sepTmAn enable_debug_mode true gc_threshold 1.048576e+07 keep_alive_timeout 30000 keyboard_logging false lan_timeout 2500 max_packet_size 1.048576e+07 mutex 48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09 mutex_timeout 5000 prevent_system_sleep false primary_connection_host rolandlandson149.bounceme.net primary_dns_server 8.8.8.8 request_elevation true restart_delay 5000 run_delay 0 run_on_startup false set_critical_process true timeout_interval 5000 use_custom_dns_server false version 1.2.2.0 wan_timeout 8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application ⋅ 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe"	46f93ddbac62282be9a1c50c45fc47af.exe

Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs

evasion trojan

TTPs:

System Information Discovery

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	46f93ddbac62282be9a1c50c45fc47af.exe

Suspicious use of SetThreadContext ⋅ 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description pid process target process

PID 860 set thread context of 1528 860 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process	target process
PID 860 set thread context of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe

Drops file in Program Files directory ⋅ 2 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Manager\agpmgr.exe	46f93ddbac62282be9a1c50c45fc47af.exe
File opened for modification	C:\Program Files (x86)\AGP Manager\agpmgr.exe	46f93ddbac62282be9a1c50c45fc47af.exe

Creates scheduled task(s) ⋅ 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exeschtasks.exe

pid process

1128 schtasks.exe
1940 schtasks.exe
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

pid process

1528 46f93ddbac62282be9a1c50c45fc47af.exe
1528 46f93ddbac62282be9a1c50c45fc47af.exe
Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

pid process

1528 46f93ddbac62282be9a1c50c45fc47af.exe
Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description pid process

Token: SeDebugPrivilege 1528 46f93ddbac62282be9a1c50c45fc47af.exe

pid	process
1128	schtasks.exe
1940	schtasks.exe

pid	process
1528	46f93ddbac62282be9a1c50c45fc47af.exe
1528	46f93ddbac62282be9a1c50c45fc47af.exe

pid	process
1528	46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process
Token: SeDebugPrivilege	1528	46f93ddbac62282be9a1c50c45fc47af.exe

Suspicious use of WriteProcessMemory ⋅ 17 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process	target process
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 1528 wrote to memory of 1128	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1128	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1128	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1128	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1940	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1940	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1940	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1940	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe

"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"

Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:860

C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe

"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"

Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1528

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD48F.tmp"

Creates scheduled task(s)

PID:1128

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD5B8.tmp"

Creates scheduled task(s)

PID:1940

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD48F.tmp
MD5
06f19a531502f7c18e0e845e9378115e

SHA1
61392960eeefb9048ab40806b73180abe52effa4

SHA256
d84aeda36d3a02bc747dda659a9e3b0d2e0b8d500b2a8fb7de23863d7d6f10e5

SHA512
499cee0a456bdae39473155da1ba6c42bd3b32c28cc53f40a3e52e391345feafe0c0bbe509dca17d9c655754061df580d90b921f9f137f06ce15acd1a233550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5B8.tmp
MD5
885d6dd30570594e167fadb59d9ca0ea

SHA1
9981e583644c4eb9cf5056615a0e1c2913c8983b

SHA256
7155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2

SHA512
1623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a

Download Submit
memory/860-59-0x0000000000E10000-0x0000000000E4A000-memory.dmp

Download
memory/860-58-0x0000000005F40000-0x0000000005FD4000-memory.dmp

Download
memory/860-54-0x0000000001040000-0x0000000001122000-memory.dmp

Download
memory/860-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Download
memory/860-57-0x0000000000490000-0x000000000049C000-memory.dmp

Download
memory/860-56-0x0000000000440000-0x0000000000456000-memory.dmp

Download
memory/1128-73-0x0000000000000000-mapping.dmp

Download
memory/1528-61-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/1528-66-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/1528-67-0x000000000041E792-mapping.dmp

Download
memory/1528-69-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/1528-71-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/1528-64-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/1528-63-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/1528-60-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/1528-77-0x00000000005E0000-0x00000000005EA000-memory.dmp

Download
memory/1528-78-0x0000000000600000-0x000000000061E000-memory.dmp

Download
memory/1528-79-0x0000000000840000-0x000000000084A000-memory.dmp

Download
memory/1940-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads