nanocore | b78bcdb4ddc36aa5b190fe6fa1e867a1be3c70ba84a9d6caf6117973a3ca5a2f

General

Target

takcrowneu2.1.exe
Size

884KB
MD5

1d21b93f7f98b71f70cf052f70c8bda0
SHA1

3a3bea376a76d68311e0046fef8792c52e6025c1
SHA256

b78bcdb4ddc36aa5b190fe6fa1e867a1be3c70ba84a9d6caf6117973a3ca5a2f
SHA512

edd77182bf7f823d0de28ba5dcd0d20ae6e92818de717385670d253650497cbf35bd85a9c252f1433c2350b1a6d941ffbfe455f99f1db1cd0f717f5f176de613
SSDEEP

24576:kNbB3QTZkNiNdjaSEM7j5Kjil50RuBv7/QcSOlj:09ATZkNiNdjaSEM7j5Kji4MhjQcSOlj

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

yuhlz.exe

pid process

5080 yuhlz.exe
Loads dropped DLL 1 IoCs

Processes:

yuhlz.exe

pid process

1892 yuhlz.exe

pid	process
5080	yuhlz.exe

pid	process
1892	yuhlz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yuhlz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnylvotlea = "C:\\Users\\Admin\\AppData\\Roaming\\wfqru\\rlfiugvdke.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\yuhlz.exe\""	yuhlz.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

yuhlz.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yuhlz.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

yuhlz.exe

description pid process target process

PID 5080 set thread context of 1892 5080 yuhlz.exe yuhlz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 5080 WerFault.exe yuhlz.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

yuhlz.exe

pid process

1892 yuhlz.exe
1892 yuhlz.exe
1892 yuhlz.exe
1892 yuhlz.exe
1892 yuhlz.exe
1892 yuhlz.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

yuhlz.exe

pid process

1892 yuhlz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

yuhlz.exe

description pid process

Token: SeDebugPrivilege 1892 yuhlz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yuhlz.exe

description	pid	process	target process
PID 5080 set thread context of 1892	5080	yuhlz.exe	yuhlz.exe

pid	pid_target	process	target process
1488	5080	WerFault.exe	yuhlz.exe

pid	process
1892	yuhlz.exe
1892	yuhlz.exe
1892	yuhlz.exe
1892	yuhlz.exe
1892	yuhlz.exe
1892	yuhlz.exe

pid	process
1892	yuhlz.exe

description	pid	process
Token: SeDebugPrivilege	1892	yuhlz.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

takcrowneu2.1.exeyuhlz.exe

description	pid	process	target process
PID 5008 wrote to memory of 5080	5008	takcrowneu2.1.exe	yuhlz.exe
PID 5008 wrote to memory of 5080	5008	takcrowneu2.1.exe	yuhlz.exe
PID 5008 wrote to memory of 5080	5008	takcrowneu2.1.exe	yuhlz.exe
PID 5080 wrote to memory of 1892	5080	yuhlz.exe	yuhlz.exe
PID 5080 wrote to memory of 1892	5080	yuhlz.exe	yuhlz.exe
PID 5080 wrote to memory of 1892	5080	yuhlz.exe	yuhlz.exe
PID 5080 wrote to memory of 1892	5080	yuhlz.exe	yuhlz.exe

C:\Users\Admin\AppData\Local\Temp\takcrowneu2.1.exe
"C:\Users\Admin\AppData\Local\Temp\takcrowneu2.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\yuhlz.exe
"C:\Users\Admin\AppData\Local\Temp\yuhlz.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\yuhlz.exe
"C:\Users\Admin\AppData\Local\Temp\yuhlz.exe"
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 564
3⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5080 -ip 5080
1⤵
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dclcgtroxoc.sd
Filesize
280KB

MD5
fd2caf04742669d5011034a902b46f1b

SHA1
b3e66b8bdb3cb7a7bc2a4c713d3e0dc6395853ab

SHA256
cb4a7a233c6ba428b533bdba4d7e8bc1cb034d336224e477bb5995b42803108d

SHA512
319877b7432e7eb2febb318e47aad9809688357e39352f5e2ffb27761acffee2f2275ca6dc89055dcc122fb97d9f75856562a9cbbfa3878da758dfcca7e70261

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuhlz.exe
Filesize
123KB

MD5
4ac8ce3af17e0db03c02abd01f9f33f8

SHA1
3ca64bd42cc6a62c8bd8909ae6b8e3e6e7e1895b

SHA256
07dbcb2e97f0b244f07536acf856bfa122f1a88e36cd660f9ae813c6b8585eb7

SHA512
655d804404242aaf58245aaba688da6ded23d3c1b9d658489d0444e71a355419f8873547fc6094a3b11d6f7c66064118402d827ef0690150dcf5445b3ae39889

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuhlz.exe
Filesize
123KB

MD5
4ac8ce3af17e0db03c02abd01f9f33f8

SHA1
3ca64bd42cc6a62c8bd8909ae6b8e3e6e7e1895b

SHA256
07dbcb2e97f0b244f07536acf856bfa122f1a88e36cd660f9ae813c6b8585eb7

SHA512
655d804404242aaf58245aaba688da6ded23d3c1b9d658489d0444e71a355419f8873547fc6094a3b11d6f7c66064118402d827ef0690150dcf5445b3ae39889

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuhlz.exe
Filesize
123KB

MD5
4ac8ce3af17e0db03c02abd01f9f33f8

SHA1
3ca64bd42cc6a62c8bd8909ae6b8e3e6e7e1895b

SHA256
07dbcb2e97f0b244f07536acf856bfa122f1a88e36cd660f9ae813c6b8585eb7

SHA512
655d804404242aaf58245aaba688da6ded23d3c1b9d658489d0444e71a355419f8873547fc6094a3b11d6f7c66064118402d827ef0690150dcf5445b3ae39889

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvmcykf.e
Filesize
6KB

MD5
213d69cc16a62973d466ca2221b03375

SHA1
66fe1c42904c396bb13059f790b2fe8f93be009f

SHA256
66d7cbb7ae6a2214efca3ae2e0f697d99cd37d0d78ae3c8c35971ad315e40aea

SHA512
54def173682c1926d4d6defb602aedec460398be572294ebf6180eca3081b2a8b5cd0a36904af1457681a667af63aa55ed1f4e2fc02170d19d4404276be4a5e3

Download Submit
memory/1892-137-0x0000000000000000-mapping.dmp

Download
memory/1892-139-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/1892-140-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1892-141-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/1892-142-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/1892-143-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/5080-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing