nanocore | 34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019

General

Target

07653FD9F64401F9F1696F4782C926F4.exe
Size

1.2MB
MD5

07653fd9f64401f9f1696f4782c926f4
SHA1

aed898c8d28306aa28785004252b81144bb73676
SHA256

34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019
SHA512

96178c05a5f78f3c132e9634957194c4d90bde07413ffd086de05ad3b638188132c40f84112949ab31818ffbb578980f99a938990846ec70061d5513732894f0
SSDEEP

24576:wUelzt/bfQ8OBromXFprxo3FFkBuK/qI/nJi6CYyHFBgsnfLum9My3o54TRM+:4xUC8FU3XkBuAdfsYybggfL/Gx

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	07653FD9F64401F9F1696F4782C926F4.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	07653FD9F64401F9F1696F4782C926F4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

pid	process
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe
800	07653FD9F64401F9F1696F4782C926F4.exe

Drops file in Program Files directory 2 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	07653FD9F64401F9F1696F4782C926F4.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	07653FD9F64401F9F1696F4782C926F4.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

892 schtasks.exe
1688 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

pid process

800 07653FD9F64401F9F1696F4782C926F4.exe
800 07653FD9F64401F9F1696F4782C926F4.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

pid process

800 07653FD9F64401F9F1696F4782C926F4.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description pid process

Token: SeDebugPrivilege 800 07653FD9F64401F9F1696F4782C926F4.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

pid process

800 07653FD9F64401F9F1696F4782C926F4.exe

pid	process
892	schtasks.exe
1688	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	800	07653FD9F64401F9F1696F4782C926F4.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description	pid	process	target process
PID 800 wrote to memory of 892	800	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 800 wrote to memory of 892	800	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 800 wrote to memory of 892	800	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 800 wrote to memory of 892	800	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 800 wrote to memory of 1688	800	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 800 wrote to memory of 1688	800	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 800 wrote to memory of 1688	800	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 800 wrote to memory of 1688	800	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\07653FD9F64401F9F1696F4782C926F4.exe
"C:\Users\Admin\AppData\Local\Temp\07653FD9F64401F9F1696F4782C926F4.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEE17.tmp"
2⤵
- Creates scheduled task(s)
PID:892

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF0D6.tmp"
2⤵
- Creates scheduled task(s)
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEE17.tmp
Filesize
1KB

MD5
853c1e42596a3c599e8ead6504bf72af

SHA1
a78c779701d08604f7fafcba5eb21f3d657b8a2f

SHA256
63fe2fcf9cc40b50264dd477f05182d174dd27bb42b70baa125608f9122b955a

SHA512
db9f87c3094e4ebb066f51ba177ca08e43feff1437d445d9a22e14b15c94c2a30e0206cf53608b8ee4dbccfe865d985cd67b926672a3342796247a23a7fa8390

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0D6.tmp
Filesize
1KB

MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
memory/800-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/800-57-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/800-59-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download
memory/800-61-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download
memory/892-55-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads