nanocore | b0f0b4c3d5da49fced977a24b84dcb13b292a983c705c0b0f8fd4b1307c9ea47

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Servo.exe
Size

553KB
MD5

a5024adbf456fb728d2acb0def071460
SHA1

acda2fa3da707a7a1e7ab1246393380972584c58
SHA256

b0f0b4c3d5da49fced977a24b84dcb13b292a983c705c0b0f8fd4b1307c9ea47
SHA512

4f7a28238ceb4a5e89c1de82f818161fbec81bac7752d6a595cc61592527a674fc07e4688822ee1b421548d5ec59adcd7b7f8dd51cab464cc028881bff3109ab
SSDEEP

12288:CLV6BtpmkIeY+4F7Ko4YKDbzsr0s2apK+85GY+xVncgIHQE2:gApfC74D4J38+RVnKHM

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Servo.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Servo.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4420 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Servo.exe

pid process

2724 Servo.exe
2724 Servo.exe
2724 Servo.exe
2724 Servo.exe
2724 Servo.exe
2724 Servo.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Servo.exe

pid process

2724 Servo.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Servo.exe

description pid process

Token: SeDebugPrivilege 2724 Servo.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Servo.exe

pid	process
4420	schtasks.exe

pid	process
2724	Servo.exe
2724	Servo.exe
2724	Servo.exe
2724	Servo.exe
2724	Servo.exe
2724	Servo.exe

pid	process
2724	Servo.exe

description	pid	process
Token: SeDebugPrivilege	2724	Servo.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Servo.exe

description	pid	process	target process
PID 2724 wrote to memory of 4420	2724	Servo.exe	schtasks.exe
PID 2724 wrote to memory of 4420	2724	Servo.exe	schtasks.exe
PID 2724 wrote to memory of 4420	2724	Servo.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Servo.exe
"C:\Users\Admin\AppData\Local\Temp\Servo.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "IMAP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6F39.tmp"
2⤵
- Creates scheduled task(s)
PID:4420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6F39.tmp
Filesize
1KB

MD5
21eb47272b41fe9d7fcca518c952729c

SHA1
a133d77b681f81537c622a13a710f73f00e5dfc3

SHA256
a5ca990a4c8841deae77b06775842d236e2353eb6bb9e075397632e1d8ecc5ba

SHA512
1001333dded82e75000be50a7b8990d1a3526e2ea6aa9ed7a103874f4467e9777c7932bb7b19233b441f3e78a559e86300f19e8a66c5e553abb448e200aab284

Download Submit
memory/2724-133-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/2724-138-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/2724-139-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/2724-140-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download