nanocore | 59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2

Analysis

max time kernel
148s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe
Size

97KB
MD5

63909b030829d94c7995d8d4cb4c8670
SHA1

c0275653eb580d361bb21c069462dabbd99105c4
SHA256

59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2
SHA512

bf472a378fea0c89d20e4080f13d3cd63fec28b0b3007cc35ffc3030a5efda8376cbbee3c927a4027f486296268a8518efb3211f139b85a299cd3042cbb0e696
SSDEEP

3072:n4BwG0c4ygA2dcoT/E7bswnxyTRg3L6MB:8bey3RA

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe

Drops file in Program Files directory 2 IoCs

Processes:

59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe

description	pid	process
Token: SeDebugPrivilege	1352	59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe
Token: SeDebugPrivilege	1352	59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe

C:\Users\Admin\AppData\Local\Temp\59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe
"C:\Users\Admin\AppData\Local\Temp\59ad8140e8bfc88ad8af266a9144b0f8180651e0217f8f19b15ec18555eeadd2.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1352-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1352-55-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-56-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download