nanocore | 9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51

Analysis

max time kernel
141s
max time network
201s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe
Size

199KB
MD5

b69492e3d099bc344c93c596e044ed29
SHA1

bb8af0339fcff82a0864677b2cea0e0f5587f7ee
SHA256

9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51
SHA512

d38a4882f6423c941d778f3f7e3d3f76591dcfa079f49d7f8173e23ca6f37f94e98febf2154b53b5997a8dcb487b6f053dfcac2984ff5f60b60dacce87d971bb
SSDEEP

3072:r5Pto80z+vFMCnOzS9FL9sGR2uRyR7QPMtdV0Qh85QG1ooemavRBzsoHkN:rM80mniiLU7QPerNh8Pa7BHkN

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files\\PCI Subsystem\\pciss.exe"	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

Drops file in Program Files directory 2 IoCs

Processes:

9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

description	ioc	process
File created	C:\Program Files\PCI Subsystem\pciss.exe	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe
File opened for modification	C:\Program Files\PCI Subsystem\pciss.exe	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

pid	process
2028	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe
2028	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe
2028	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe
2028	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe
2028	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

pid process

2028 9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

description pid process

Token: SeDebugPrivilege 2028 9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

description	pid	process
Token: SeDebugPrivilege	2028	9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe

C:\Users\Admin\AppData\Local\Temp\9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe
"C:\Users\Admin\AppData\Local\Temp\9b51ab6d4d37b31fa9dc7f82bb48f7ef3c836e4228d3f88d72117eeb20723b51.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-54-0x000007FEF3F60000-0x000007FEF4983000-memory.dmp

Filesize
10.1MB

Download
memory/2028-55-0x000007FEF2EC0000-0x000007FEF3F56000-memory.dmp

Filesize
16.6MB

Download
memory/2028-56-0x0000000000286000-0x00000000002A5000-memory.dmp

Filesize
124KB

Download
memory/2028-57-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/2028-58-0x0000000000286000-0x00000000002A5000-memory.dmp

Filesize
124KB

Download