nanocore | 34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019

General

Target

07653FD9F64401F9F1696F4782C926F4.exe
Size

1.2MB
MD5

07653fd9f64401f9f1696f4782c926f4
SHA1

aed898c8d28306aa28785004252b81144bb73676
SHA256

34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019
SHA512

96178c05a5f78f3c132e9634957194c4d90bde07413ffd086de05ad3b638188132c40f84112949ab31818ffbb578980f99a938990846ec70061d5513732894f0
SSDEEP

24576:wUelzt/bfQ8OBromXFprxo3FFkBuK/qI/nJi6CYyHFBgsnfLum9My3o54TRM+:4xUC8FU3XkBuAdfsYybggfL/Gx

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe"	07653FD9F64401F9F1696F4782C926F4.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	07653FD9F64401F9F1696F4782C926F4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

pid	process
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe
4844	07653FD9F64401F9F1696F4782C926F4.exe

Drops file in Program Files directory 2 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description	ioc	process
File created	C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe	07653FD9F64401F9F1696F4782C926F4.exe
File opened for modification	C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe	07653FD9F64401F9F1696F4782C926F4.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1452 schtasks.exe
3740 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

pid process

4844 07653FD9F64401F9F1696F4782C926F4.exe
4844 07653FD9F64401F9F1696F4782C926F4.exe
4844 07653FD9F64401F9F1696F4782C926F4.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

pid process

4844 07653FD9F64401F9F1696F4782C926F4.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description pid process

Token: SeDebugPrivilege 4844 07653FD9F64401F9F1696F4782C926F4.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

pid process

4844 07653FD9F64401F9F1696F4782C926F4.exe

pid	process
1452	schtasks.exe
3740	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4844	07653FD9F64401F9F1696F4782C926F4.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

07653FD9F64401F9F1696F4782C926F4.exe

description	pid	process	target process
PID 4844 wrote to memory of 1452	4844	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 4844 wrote to memory of 1452	4844	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 4844 wrote to memory of 1452	4844	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 4844 wrote to memory of 3740	4844	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 4844 wrote to memory of 3740	4844	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe
PID 4844 wrote to memory of 3740	4844	07653FD9F64401F9F1696F4782C926F4.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\07653FD9F64401F9F1696F4782C926F4.exe
"C:\Users\Admin\AppData\Local\Temp\07653FD9F64401F9F1696F4782C926F4.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD95D.tmp"
2⤵
- Creates scheduled task(s)
PID:1452

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDB23.tmp"
2⤵
- Creates scheduled task(s)
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD95D.tmp
Filesize
1KB

MD5
853c1e42596a3c599e8ead6504bf72af

SHA1
a78c779701d08604f7fafcba5eb21f3d657b8a2f

SHA256
63fe2fcf9cc40b50264dd477f05182d174dd27bb42b70baa125608f9122b955a

SHA512
db9f87c3094e4ebb066f51ba177ca08e43feff1437d445d9a22e14b15c94c2a30e0206cf53608b8ee4dbccfe865d985cd67b926672a3342796247a23a7fa8390

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB23.tmp
Filesize
1KB

MD5
2f26d92c1eeead3896820e56ec46f6f1

SHA1
d95533b61eed7d89e4ada56bc566d60e42ac1f61

SHA256
99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa

SHA512
6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892

Download Submit
memory/1452-133-0x0000000000000000-mapping.dmp

Download
memory/3740-136-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/4844-134-0x0000000073FA0000-0x0000000074551000-memory.dmp

Filesize
5.7MB

Download
memory/4844-138-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/4844-139-0x0000000073FA0000-0x0000000074551000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads