nanocore | 0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec

General

Target

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Size

1.1MB
MD5

b98f7cc3cb959e27037722baa8c65e49
SHA1

059a349af476f11733090f897f991e826d4d62c4
SHA256

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec
SHA512

14e61eb0c811728e4b9569fe624b01641a7d056469fdee7bd04c295dc917be2310f3ac4f415a28eb0175ac19c5dc31719471f3bea22e28a98ebfb30c56f431c5
SSDEEP

24576:/4lavt0LkLL9IMixoEgea9DnMNtSmESivq9MmCS:6kwkn9IMHea9DnMSmEvaPCS

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

Executes dropped EXE 1 IoCs

Processes:

1554.exe

pid process

4792 1554.exe

pid	process
4792	1554.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1554.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files\\PCI Manager\\pcimgr.exe"	1554.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe1554.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1554.exe

Drops file in Program Files directory 2 IoCs

Processes:

1554.exe

description	ioc	process
File created	C:\Program Files\PCI Manager\pcimgr.exe	1554.exe
File opened for modification	C:\Program Files\PCI Manager\pcimgr.exe	1554.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2268 schtasks.exe
2432 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1554.exe

pid process

4792 1554.exe
4792 1554.exe
4792 1554.exe
4792 1554.exe
4792 1554.exe
4792 1554.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1554.exe

pid process

4792 1554.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1554.exe

description pid process

Token: SeDebugPrivilege 4792 1554.exe

pid	process
2268	schtasks.exe
2432	schtasks.exe

pid	process
4792	1554.exe
4792	1554.exe
4792	1554.exe
4792	1554.exe
4792	1554.exe
4792	1554.exe

pid	process
4792	1554.exe

description	pid	process
Token: SeDebugPrivilege	4792	1554.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe1554.exe

description	pid	process	target process
PID 4740 wrote to memory of 4792	4740	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe	1554.exe
PID 4740 wrote to memory of 4792	4740	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe	1554.exe
PID 4792 wrote to memory of 2268	4792	1554.exe	schtasks.exe
PID 4792 wrote to memory of 2268	4792	1554.exe	schtasks.exe
PID 4792 wrote to memory of 2432	4792	1554.exe	schtasks.exe
PID 4792 wrote to memory of 2432	4792	1554.exe	schtasks.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe

C:\Users\Admin\AppData\Local\Temp\0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe
"C:\Users\Admin\AppData\Local\Temp\0aa169d92500c4aa835575cc17bfc48d24c38aec2335906efeb7dea7ee738eec.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4740

C:\Users\Admin\AppData\Local\Temp\1554\1554.exe
"C:\Users\Admin\AppData\Local\Temp\1554\1554.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp64.tmp"
3⤵
- Creates scheduled task(s)
PID:2268

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2C6.tmp"
3⤵
- Creates scheduled task(s)
PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1554\1554.exe

Filesize
255KB

MD5
4051af77a4baf601520e9132c8b282bd

SHA1
6c258ef59d544efe6027e51d97c1b15f748365f4

SHA256
c687d4064dfb8bc8c5d80d5b6103caec01ba2a798f9bfcd7ddd74f6e7ce90ae0

SHA512
fb99af04e8df6ef9c1137137c6ff7c6549669adda445dac5c85e7af157ae9370f7df3a3fc5696c3ba360bc5a1e4a818d258b58d721b54586dbb4527ebe38e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\1554\1554.exe

Filesize
255KB

MD5
4051af77a4baf601520e9132c8b282bd

SHA1
6c258ef59d544efe6027e51d97c1b15f748365f4

SHA256
c687d4064dfb8bc8c5d80d5b6103caec01ba2a798f9bfcd7ddd74f6e7ce90ae0

SHA512
fb99af04e8df6ef9c1137137c6ff7c6549669adda445dac5c85e7af157ae9370f7df3a3fc5696c3ba360bc5a1e4a818d258b58d721b54586dbb4527ebe38e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C6.tmp

Filesize
1KB

MD5
f7fc5cfe3d4801d5fb389238c3400380

SHA1
41751c30225709a60ba8f8049c6e2405d9d6717d

SHA256
79a01572b6494f8dc6cd81f182d1566d57b6eaf8592f4e07f1a7eb8eaf89d883

SHA512
86fdef1ccb273b2680c8f9645be7fd532cfc1441b2299f72d785d038a228129b0bdca6ddb83e9fd25945f65832fca1668c9f510705fca418e0fdb2d1ed6fc9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64.tmp

Filesize
1KB

MD5
c946474f8bcccd6e4cba46d44ee33546

SHA1
8a5d72c68a0dd7170414d4428e1e0b4be679c09c

SHA256
e8fdaca4e4d2e0e1cfdfe65a3dd1b38f1d81ea67ae907d9794472f3109c578a9

SHA512
251742d3a55747178224c307cf1027770ebc4cb452bc41d66c8e9d670db1eb925cfb226e7e458a40612027a170cdadacac8a6ed92f27ab40e8ffe48a320738d8

Download Submit
memory/2268-136-0x0000000000000000-mapping.dmp

Download
memory/2432-138-0x0000000000000000-mapping.dmp

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download
memory/4792-135-0x00007FF9D2440000-0x00007FF9D2E76000-memory.dmp

Filesize
10.2MB

Download
memory/4792-140-0x00000000013AA000-0x00000000013AF000-memory.dmp

Filesize
20KB

Download
memory/4792-141-0x000000001C6A0000-0x000000001C7A0000-memory.dmp

Filesize
1024KB

Download
memory/4792-142-0x00000000013AA000-0x00000000013AF000-memory.dmp

Filesize
20KB

Download
memory/4792-143-0x000000001C6A0000-0x000000001C7A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads