nanocore | 0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec

General

Target

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Size

1.1MB
MD5

b98f7cc3cb959e27037722baa8c65e49
SHA1

059a349af476f11733090f897f991e826d4d62c4
SHA256

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec
SHA512

14e61eb0c811728e4b9569fe624b01641a7d056469fdee7bd04c295dc917be2310f3ac4f415a28eb0175ac19c5dc31719471f3bea22e28a98ebfb30c56f431c5
SSDEEP

24576:/4lavt0LkLL9IMixoEgea9DnMNtSmESivq9MmCS:6kwkn9IMHea9DnMSmEvaPCS

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

Executes dropped EXE 1 IoCs

Processes:

1554.exe

pid process

1052 1554.exe

pid	process
1052	1554.exe

Loads dropped DLL 4 IoCs

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

pid	process
2044	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
2044	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
2044	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
2044	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1554.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files\\NTFS Monitor\\ntfsmon.exe"	1554.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1554.exe0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1554.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

Drops file in Program Files directory 2 IoCs

Processes:

1554.exe

description	ioc	process
File created	C:\Program Files\NTFS Monitor\ntfsmon.exe	1554.exe
File opened for modification	C:\Program Files\NTFS Monitor\ntfsmon.exe	1554.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1860 schtasks.exe
1460 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1554.exe

pid process

1052 1554.exe
1052 1554.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1554.exe

pid process

1052 1554.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1554.exe

description pid process

Token: SeDebugPrivilege 1052 1554.exe

pid	process
1860	schtasks.exe
1460	schtasks.exe

pid	process
1052	1554.exe
1052	1554.exe

pid	process
1052	1554.exe

description	pid	process
Token: SeDebugPrivilege	1052	1554.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe1554.exe

description	pid	process	target process
PID 2044 wrote to memory of 1052	2044	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe	1554.exe
PID 2044 wrote to memory of 1052	2044	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe	1554.exe
PID 2044 wrote to memory of 1052	2044	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe	1554.exe
PID 2044 wrote to memory of 1052	2044	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe	1554.exe
PID 1052 wrote to memory of 1460	1052	1554.exe	schtasks.exe
PID 1052 wrote to memory of 1460	1052	1554.exe	schtasks.exe
PID 1052 wrote to memory of 1460	1052	1554.exe	schtasks.exe
PID 1052 wrote to memory of 1860	1052	1554.exe	schtasks.exe
PID 1052 wrote to memory of 1860	1052	1554.exe	schtasks.exe
PID 1052 wrote to memory of 1860	1052	1554.exe	schtasks.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

C:\Users\Admin\AppData\Local\Temp\0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
"C:\Users\Admin\AppData\Local\Temp\0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044

C:\Users\Admin\AppData\Local\Temp\1554\1554.exe
"C:\Users\Admin\AppData\Local\Temp\1554\1554.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp32C5.tmp"
3⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6846.tmp"
3⤵
- Creates scheduled task(s)
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1554\1554.exe

Filesize
255KB

MD5
4051af77a4baf601520e9132c8b282bd

SHA1
6c258ef59d544efe6027e51d97c1b15f748365f4

SHA256
c687d4064dfb8bc8c5d80d5b6103caec01ba2a798f9bfcd7ddd74f6e7ce90ae0

SHA512
fb99af04e8df6ef9c1137137c6ff7c6549669adda445dac5c85e7af157ae9370f7df3a3fc5696c3ba360bc5a1e4a818d258b58d721b54586dbb4527ebe38e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\1554\1554.exe

Filesize
255KB

MD5
4051af77a4baf601520e9132c8b282bd

SHA1
6c258ef59d544efe6027e51d97c1b15f748365f4

SHA256
c687d4064dfb8bc8c5d80d5b6103caec01ba2a798f9bfcd7ddd74f6e7ce90ae0

SHA512
fb99af04e8df6ef9c1137137c6ff7c6549669adda445dac5c85e7af157ae9370f7df3a3fc5696c3ba360bc5a1e4a818d258b58d721b54586dbb4527ebe38e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32C5.tmp

Filesize
1KB

MD5
c946474f8bcccd6e4cba46d44ee33546

SHA1
8a5d72c68a0dd7170414d4428e1e0b4be679c09c

SHA256
e8fdaca4e4d2e0e1cfdfe65a3dd1b38f1d81ea67ae907d9794472f3109c578a9

SHA512
251742d3a55747178224c307cf1027770ebc4cb452bc41d66c8e9d670db1eb925cfb226e7e458a40612027a170cdadacac8a6ed92f27ab40e8ffe48a320738d8

Download Submit
\Users\Admin\AppData\Local\Temp\1554\1554.exe

Filesize
255KB

MD5
4051af77a4baf601520e9132c8b282bd

SHA1
6c258ef59d544efe6027e51d97c1b15f748365f4

SHA256
c687d4064dfb8bc8c5d80d5b6103caec01ba2a798f9bfcd7ddd74f6e7ce90ae0

SHA512
fb99af04e8df6ef9c1137137c6ff7c6549669adda445dac5c85e7af157ae9370f7df3a3fc5696c3ba360bc5a1e4a818d258b58d721b54586dbb4527ebe38e977

Download Submit
\Users\Admin\AppData\Local\Temp\1554\1554.exe

Filesize
255KB

MD5
4051af77a4baf601520e9132c8b282bd

SHA1
6c258ef59d544efe6027e51d97c1b15f748365f4

SHA256
c687d4064dfb8bc8c5d80d5b6103caec01ba2a798f9bfcd7ddd74f6e7ce90ae0

SHA512
fb99af04e8df6ef9c1137137c6ff7c6549669adda445dac5c85e7af157ae9370f7df3a3fc5696c3ba360bc5a1e4a818d258b58d721b54586dbb4527ebe38e977

Download Submit
\Users\Admin\AppData\Local\Temp\1554\1554.exe

Filesize
255KB

MD5
4051af77a4baf601520e9132c8b282bd

SHA1
6c258ef59d544efe6027e51d97c1b15f748365f4

SHA256
c687d4064dfb8bc8c5d80d5b6103caec01ba2a798f9bfcd7ddd74f6e7ce90ae0

SHA512
fb99af04e8df6ef9c1137137c6ff7c6549669adda445dac5c85e7af157ae9370f7df3a3fc5696c3ba360bc5a1e4a818d258b58d721b54586dbb4527ebe38e977

Download Submit
\Users\Admin\AppData\Local\Temp\1554\1554.exe

Filesize
255KB

MD5
4051af77a4baf601520e9132c8b282bd

SHA1
6c258ef59d544efe6027e51d97c1b15f748365f4

SHA256
c687d4064dfb8bc8c5d80d5b6103caec01ba2a798f9bfcd7ddd74f6e7ce90ae0

SHA512
fb99af04e8df6ef9c1137137c6ff7c6549669adda445dac5c85e7af157ae9370f7df3a3fc5696c3ba360bc5a1e4a818d258b58d721b54586dbb4527ebe38e977

Download Submit
memory/1052-59-0x0000000000000000-mapping.dmp

Download
memory/1052-62-0x000007FEF35C0000-0x000007FEF3FE3000-memory.dmp

Filesize
10.1MB

Download
memory/1052-63-0x000007FEEE0A0000-0x000007FEEF136000-memory.dmp

Filesize
16.6MB

Download
memory/1052-64-0x0000000001E86000-0x0000000001EA5000-memory.dmp

Filesize
124KB

Download
memory/1052-67-0x0000000001E86000-0x0000000001EA5000-memory.dmp

Filesize
124KB

Download
memory/1052-69-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

Filesize
8KB

Download
memory/1460-65-0x0000000000000000-mapping.dmp

Download
memory/1860-68-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000076221000-0x0000000076223000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads