nanocore | 8541a15e2d7858556440d7b3e9196778058433d35f508eac051afc351966c983

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nanocore.exe
Size

203KB
MD5

d262a39ae9070fe568b3d5c0fbab50ae
SHA1

deeb952a38460ffa85a1004865ca2b777757a1bd
SHA256

8541a15e2d7858556440d7b3e9196778058433d35f508eac051afc351966c983
SHA512

7e370ff52916a50b9c94789eea25c86fc2ad1fe1cefd5d0b3ddea5fe23be67f3328c17eec3d952e9e6ba19dd744358705c13648ac040561c07eb11391045b25f
SSDEEP

3072:UzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPFhtrUIEPOoDGUL3Ko64+nS26:ULV6Bta6dtJmakIM5sh80UOo9+nA53R

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nanocore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	nanocore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nanocore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nanocore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nanocore.exe

Drops file in Program Files directory 2 IoCs

Processes:

nanocore.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	nanocore.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	nanocore.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

368 schtasks.exe
1304 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

nanocore.exe

pid process

872 nanocore.exe
872 nanocore.exe
872 nanocore.exe
872 nanocore.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nanocore.exe

pid process

872 nanocore.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nanocore.exe

description pid process

Token: SeDebugPrivilege 872 nanocore.exe

pid	process
368	schtasks.exe
1304	schtasks.exe

pid	process
872	nanocore.exe
872	nanocore.exe
872	nanocore.exe
872	nanocore.exe

pid	process
872	nanocore.exe

description	pid	process
Token: SeDebugPrivilege	872	nanocore.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

nanocore.exe

description	pid	process	target process
PID 872 wrote to memory of 368	872	nanocore.exe	schtasks.exe
PID 872 wrote to memory of 368	872	nanocore.exe	schtasks.exe
PID 872 wrote to memory of 368	872	nanocore.exe	schtasks.exe
PID 872 wrote to memory of 368	872	nanocore.exe	schtasks.exe
PID 872 wrote to memory of 1304	872	nanocore.exe	schtasks.exe
PID 872 wrote to memory of 1304	872	nanocore.exe	schtasks.exe
PID 872 wrote to memory of 1304	872	nanocore.exe	schtasks.exe
PID 872 wrote to memory of 1304	872	nanocore.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\nanocore.exe
"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp23A8.tmp"
2⤵
- Creates scheduled task(s)
PID:368

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7F9D.tmp"
2⤵
- Creates scheduled task(s)
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp23A8.tmp
Filesize
1KB

MD5
c1537facbed38a07cf8821a32f017448

SHA1
4c5f1d0254eb77121a18368e4d4ee285c79788cd

SHA256
9901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a

SHA512
fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a

Download Submit
memory/368-56-0x0000000000000000-mapping.dmp

Download
memory/872-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/872-55-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/872-58-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1304-59-0x0000000000000000-mapping.dmp

Download