Behavioral Report

General

Target

46f93ddbac62282be9a1c50c45fc47af.exe
Size

880KB
MD5

46f93ddbac62282be9a1c50c45fc47af
SHA1

fd33afba3b59b797a44916b55f5edc66b4550679
SHA256

4a006f30188cebe843f8f979bbb0bd3c1808bb8bc46f9e2dbbec566d1e0e9e6b
SHA512

89ea18de5c201acd10b0256733671ccdab52c9d9c7f0c6d0e635a2a08bffac95501b77739edeaa71a2b08d39b149661cc4cf268b67ee0edeb617caa84d7c6e5c
SSDEEP

12288:58eSvB7/el8Z5GW8mnMBtZIHEDmpuWqV1bCBW5twGw9/:5M1eOWt+kDOub1GBW5twt9/

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family	nanocore
Version	1.2.2.0
C2	rolandlandson149.bounceme.net:1007 127.0.0.1:1007 rolandlandson149.bounceme.net:1007 127.0.0.1:1007
Attributes	activate_away_mode true backup_connection_host 127.0.0.1 backup_dns_server 8.8.4.4 buffer_size 65535 build_time 2022-06-13T20:58:05.824762936Z bypass_user_account_control false bypass_user_account_control_data PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+ clear_access_control true clear_zone_identifier false connect_delay 4000 connection_port 1007 default_group sepTmAn enable_debug_mode true gc_threshold 1.048576e+07 keep_alive_timeout 30000 keyboard_logging false lan_timeout 2500 max_packet_size 1.048576e+07 mutex 48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09 mutex_timeout 5000 prevent_system_sleep false primary_connection_host rolandlandson149.bounceme.net primary_dns_server 8.8.8.8 request_elevation true restart_delay 5000 run_delay 0 run_on_startup false set_critical_process true timeout_interval 5000 use_custom_dns_server false version 1.2.2.0 wan_timeout 8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application ⋅ 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe"	46f93ddbac62282be9a1c50c45fc47af.exe

Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs

evasion trojan

TTPs:

System Information Discovery

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	46f93ddbac62282be9a1c50c45fc47af.exe

Suspicious use of SetThreadContext ⋅ 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description pid process target process

PID 4308 set thread context of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process	target process
PID 4308 set thread context of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe

Drops file in Program Files directory ⋅ 2 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Monitor\agpmon.exe	46f93ddbac62282be9a1c50c45fc47af.exe
File opened for modification	C:\Program Files (x86)\AGP Monitor\agpmon.exe	46f93ddbac62282be9a1c50c45fc47af.exe

Creates scheduled task(s) ⋅ 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exeschtasks.exe

pid process

3468 schtasks.exe
3756 schtasks.exe
Suspicious behavior: EnumeratesProcesses ⋅ 3 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

pid process

2172 46f93ddbac62282be9a1c50c45fc47af.exe
2172 46f93ddbac62282be9a1c50c45fc47af.exe
2172 46f93ddbac62282be9a1c50c45fc47af.exe
Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

pid process

2172 46f93ddbac62282be9a1c50c45fc47af.exe
Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description pid process

Token: SeDebugPrivilege 2172 46f93ddbac62282be9a1c50c45fc47af.exe

pid	process
3468	schtasks.exe
3756	schtasks.exe

pid	process
2172	46f93ddbac62282be9a1c50c45fc47af.exe
2172	46f93ddbac62282be9a1c50c45fc47af.exe
2172	46f93ddbac62282be9a1c50c45fc47af.exe

pid	process
2172	46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process
Token: SeDebugPrivilege	2172	46f93ddbac62282be9a1c50c45fc47af.exe

Suspicious use of WriteProcessMemory ⋅ 14 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process	target process
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 2172 wrote to memory of 3468	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3468	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3468	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3756	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3756	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3756	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe

"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"

Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4308

C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe

"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"

Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:2172

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp200B.tmp"

Creates scheduled task(s)

PID:3468

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2164.tmp"

Creates scheduled task(s)

PID:3756

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\46f93ddbac62282be9a1c50c45fc47af.exe.log
MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp200B.tmp
MD5
06f19a531502f7c18e0e845e9378115e

SHA1
61392960eeefb9048ab40806b73180abe52effa4

SHA256
d84aeda36d3a02bc747dda659a9e3b0d2e0b8d500b2a8fb7de23863d7d6f10e5

SHA512
499cee0a456bdae39473155da1ba6c42bd3b32c28cc53f40a3e52e391345feafe0c0bbe509dca17d9c655754061df580d90b921f9f137f06ce15acd1a233550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2164.tmp
MD5
157cd55403665c49c9fd3ca1196c4397

SHA1
4feed6e606b41bb617274471349582963182756b

SHA256
49d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e

SHA512
bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8

Download Submit
memory/2172-138-0x0000000000000000-mapping.dmp

Download
memory/2172-139-0x0000000000400000-0x0000000000438000-memory.dmp

Download
memory/3468-141-0x0000000000000000-mapping.dmp

Download
memory/3756-143-0x0000000000000000-mapping.dmp

Download
memory/4308-137-0x0000000009710000-0x0000000009776000-memory.dmp

Download
memory/4308-136-0x0000000009670000-0x000000000970C000-memory.dmp

Download
memory/4308-135-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Download
memory/4308-132-0x0000000000EF0000-0x0000000000FD2000-memory.dmp

Download
memory/4308-134-0x0000000005970000-0x0000000005A02000-memory.dmp

Download
memory/4308-133-0x0000000005E80000-0x0000000006424000-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads