nanocore | 41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3

Analysis

max time kernel
152s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe
Size

191KB
MD5

c75152ce682c0ca6b4f30e177a6bfffe
SHA1

a3a450af427a27d8a25c8210824e6a15bba798a2
SHA256

41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3
SHA512

bcceb1d49dfd15a128ae3d22621a493a02acd1ee8800ae19c7e07933c6538cc1a65a2fa43537d1fc50a992ad2397374bf5283466db466f7b40eed80a922aa6c0
SSDEEP

3072:H5Pto80z+vFMCnOzS9FL9sGR2uRyR7QPMtdVhdaPRHQiyrqEgaxFoxPubej7v:HM80mniiLU7QPerORHQiyrVLPox1v

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files\\DDP Host\\ddphost.exe"	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\DDP Host\ddphost.exe	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe
File opened for modification	C:\Program Files\DDP Host\ddphost.exe	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1240	schtasks.exe
4764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe
1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe
1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe
Token: SeDebugPrivilege	1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1240	1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe	79
PID 1680 wrote to memory of 1240	1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe	79
PID 1680 wrote to memory of 4764	1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe	81
PID 1680 wrote to memory of 4764	1680	41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe	81

C:\Users\Admin\AppData\Local\Temp\41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe
"C:\Users\Admin\AppData\Local\Temp\41195b52e8d9830c3aae467fcfcd99d05869ed13f3e77991302a4640633295d3.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1240
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp81A4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp

Filesize
1KB

MD5
916f5d2c4d1258f0506d3e2bcf0bb8d5

SHA1
cdfb136641ff77457757b2624f98d7e0979d2ec8

SHA256
0604e286043bdd06c96937d507b383965dada330cae0a333b97a276cf514604e

SHA512
66b6c47f9f4d94c4cd86e1a5b939dfc2ae2a484300835401f6053b951161bab7364d484742fb7a604a219106be7e60a71d39591e551f7908a974a94b554dccb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81A4.tmp

Filesize
1KB

MD5
c7fa4b18f5349fb1b63d51d4e4aade5d

SHA1
6ea0823ea22ca9a71bf85bbdb73e796ef7c7a49a

SHA256
a323035c5e75b2f39367de287634a12282026f6e87ff471135f90e48603bb4aa

SHA512
03e6aedbfb8155e4fa431d62c92670844ec0a7d32d269c82ced2974d98b35b97ae4495b8fd8d47857fda4be099e6ee486a9ae65ac33e09facd3ab6f4646ef30f

Download Submit
memory/1680-132-0x00007FFBFD9A0000-0x00007FFBFE3D6000-memory.dmp

Filesize
10.2MB

Download
memory/1680-137-0x000000001C730000-0x000000001C830000-memory.dmp

Filesize
1024KB

Download
memory/1680-138-0x000000001C730000-0x000000001C830000-memory.dmp

Filesize
1024KB

Download