nanocore | 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48

General

Target

17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
Size

143KB
MD5

917ab8733f840d052d552bb3766fd926
SHA1

bf71e255ec62cc497796e4a030f221407efeece9
SHA256

17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48
SHA512

56f533cb1fafbb647510424d4affd6dbe6725d0350176086db41ab8b51998efeeda2a03b8458e35c7a8aef86177aff7138f732aa89e702ffd9cd1c61f366fcc3
SSDEEP

3072:runHgXqb+ixUyl/Gojn3TQNh71B3JkLrB:Y+Y7njn3Tst3CL

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Attributes

activate_away_mode
false
backup_connection_host
backup_dns_server
buffer_size
0
build_time
0001-01-01T00:00:00Z
bypass_user_account_control
false
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
0
connection_port
0
default_group
enable_debug_mode
false
gc_threshold
0
keep_alive_timeout
0
keyboard_logging
false
lan_timeout
0
max_packet_size
0
mutex
mutex_timeout
0
prevent_system_sleep
false
primary_connection_host
primary_dns_server
request_elevation
false
restart_delay
0
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
0
use_custom_dns_server
false
version
wan_timeout
0

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFEvaD5IuXm.lnk	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

Loads dropped DLL 1 IoCs

Processes:

17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

pid process

1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	37.235.1.177
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.177
Destination IP	37.235.1.177
Destination IP	37.235.1.174

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

description	pid	process	target process
PID 1092 set thread context of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

pid	process
1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

description pid process

Token: SeDebugPrivilege 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

description	pid	process
Token: SeDebugPrivilege	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe

description	pid	process	target process
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe
PID 1092 wrote to memory of 668	1092	17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
"C:\Users\Admin\AppData\Local\Temp\17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\IRjJOa6JYni\MicroSoftEssentials.exe
Filesize
143KB

MD5
917ab8733f840d052d552bb3766fd926

SHA1
bf71e255ec62cc497796e4a030f221407efeece9

SHA256
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48

SHA512
56f533cb1fafbb647510424d4affd6dbe6725d0350176086db41ab8b51998efeeda2a03b8458e35c7a8aef86177aff7138f732aa89e702ffd9cd1c61f366fcc3

Download Submit
memory/668-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/668-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/668-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/668-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/668-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/668-64-0x000000000041E792-mapping.dmp

Download
memory/668-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/668-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/668-70-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/668-71-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1092-56-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1092-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1092-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads