nanocore | 271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135

Analysis

max time kernel
146s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:42

Target

271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe
Size

158KB
MD5

202e3ede5006aaa516cef6af81002da6
SHA1

fd77cd81afef5985ab5902f507d95de8edf0161b
SHA256

271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135
SHA512

0b717b8c49451de34f28d7a94e7d2d1bba80f9f605497143e91feca64c5d8facf47185416f50cc4a7846fc25ab882bf3a74ef959361c68c50c657a6ddf761db8
SSDEEP

3072:i5Pto80z+vFMCnOzS9FL9sGR2uRyR7QPMtdVvuDZmXUv/KEs4aYRqfEh:iM80mniiLU7QPervuDZ3vyeRq4

Score

10^/10

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe

pid	process
900	271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe
900	271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe

pid process

900 271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe

description pid process

Token: SeDebugPrivilege 900 271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe

description	pid	process
Token: SeDebugPrivilege	900	271c92d4124758b378e5f0b5f3d8e96ef2f517f9b732d0a35b1113227bccf135.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/900-54-0x000007FEF3990000-0x000007FEF43B3000-memory.dmp

Filesize
10.1MB

Download
memory/900-55-0x000007FEF28F0000-0x000007FEF3986000-memory.dmp

Filesize
16.6MB

Download
memory/900-56-0x0000000001E86000-0x0000000001EA5000-memory.dmp

Filesize
124KB

Download
memory/900-57-0x0000000001E86000-0x0000000001EA5000-memory.dmp

Filesize
124KB

Download