nanocore | a2b0bbd184143fa57dd37d1d30e8d38f60dd37b2fbc350b3b3b03c41c7ba5ec1

General

Target

28356a005b34180725cc339567b7b4b8.exe
Size

203KB
MD5

28356a005b34180725cc339567b7b4b8
SHA1

255fdf44c480ff2c1d996d55a3c9d30255191011
SHA256

a2b0bbd184143fa57dd37d1d30e8d38f60dd37b2fbc350b3b3b03c41c7ba5ec1
SHA512

5d8ba08a34acbf445f9e787c769c08ae4ae96969145316ff5c0df1f0398bf029a6efeff57e125e572aef9eb266ec7dcaf538170957660f24bff9f8a92a4d57af
SSDEEP

6144:ULV6Bta6dtJmakIM5Mgw1EzFtHBZMZ46xIGF:ULV6Btpmk/gwSzXHBM4DW

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28356a005b34180725cc339567b7b4b8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	28356a005b34180725cc339567b7b4b8.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

28356a005b34180725cc339567b7b4b8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	28356a005b34180725cc339567b7b4b8.exe

Drops file in Program Files directory 2 IoCs

Processes:

28356a005b34180725cc339567b7b4b8.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	28356a005b34180725cc339567b7b4b8.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	28356a005b34180725cc339567b7b4b8.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1480 schtasks.exe
1696 schtasks.exe

pid	process
1480	schtasks.exe
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

28356a005b34180725cc339567b7b4b8.exe

pid	process
968	28356a005b34180725cc339567b7b4b8.exe
968	28356a005b34180725cc339567b7b4b8.exe
968	28356a005b34180725cc339567b7b4b8.exe
968	28356a005b34180725cc339567b7b4b8.exe
968	28356a005b34180725cc339567b7b4b8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

28356a005b34180725cc339567b7b4b8.exe

pid process

968 28356a005b34180725cc339567b7b4b8.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

28356a005b34180725cc339567b7b4b8.exe

description pid process

Token: SeDebugPrivilege 968 28356a005b34180725cc339567b7b4b8.exe
Token: SeDebugPrivilege 968 28356a005b34180725cc339567b7b4b8.exe

description	pid	process
Token: SeDebugPrivilege	968	28356a005b34180725cc339567b7b4b8.exe
Token: SeDebugPrivilege	968	28356a005b34180725cc339567b7b4b8.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

28356a005b34180725cc339567b7b4b8.exe

description	pid	process	target process
PID 968 wrote to memory of 1480	968	28356a005b34180725cc339567b7b4b8.exe	schtasks.exe
PID 968 wrote to memory of 1480	968	28356a005b34180725cc339567b7b4b8.exe	schtasks.exe
PID 968 wrote to memory of 1480	968	28356a005b34180725cc339567b7b4b8.exe	schtasks.exe
PID 968 wrote to memory of 1480	968	28356a005b34180725cc339567b7b4b8.exe	schtasks.exe
PID 968 wrote to memory of 1696	968	28356a005b34180725cc339567b7b4b8.exe	schtasks.exe
PID 968 wrote to memory of 1696	968	28356a005b34180725cc339567b7b4b8.exe	schtasks.exe
PID 968 wrote to memory of 1696	968	28356a005b34180725cc339567b7b4b8.exe	schtasks.exe
PID 968 wrote to memory of 1696	968	28356a005b34180725cc339567b7b4b8.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\28356a005b34180725cc339567b7b4b8.exe
"C:\Users\Admin\AppData\Local\Temp\28356a005b34180725cc339567b7b4b8.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp501.tmp"
2⤵
- Creates scheduled task(s)
PID:1480

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp317E.tmp"
2⤵
- Creates scheduled task(s)
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp501.tmp
Filesize
1KB

MD5
3236a9f7e302fd083335f957dc69eaa9

SHA1
6f1489a84d9f5f4d8842b9527fff6e8a79dc02d8

SHA256
e7be54276d9cdd906d8f2871fd4c86b61898e41102fa8c513e1dca403873356b

SHA512
81000c6dc86b7eee6338b62a1f398046e8705bb3a492d918e79a036db24adc607a7c51717755eb493b8785214044ef3c2d1ddcf064cfd900b4feeb6604345556

Download Submit
memory/968-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/968-55-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/968-59-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-56-0x0000000000000000-mapping.dmp

Download
memory/1696-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads