nanocore | 6056ddf4fd5f58f421883da0176a32cbad5458c80d33e1e0d4f1ddcf28f6d21d

General

Target

09768ed665365838e5f15dff9c5b3e74.exe
Size

452KB
MD5

09768ed665365838e5f15dff9c5b3e74
SHA1

385a907d5646ef30bf470784b89867b1ef1737d8
SHA256

6056ddf4fd5f58f421883da0176a32cbad5458c80d33e1e0d4f1ddcf28f6d21d
SHA512

f636194777edf866795c86f54fa78a7589e34e4fefec773809b0546e8455e4e49703bfe7d9ce0de86069b16193380674d51aabdf7f61f890aa90e6e572efccd3
SSDEEP

6144:MLV6Bta6dtJmakIM5fBnRhWiJ8bEQj3MrRFW6V475A1X90g2l5TwBrEYFNHz9QC5:MLV6BtpmkoblRcKYg2l5TwSY72C1zvr

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	09768ed665365838e5f15dff9c5b3e74.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	09768ed665365838e5f15dff9c5b3e74.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	09768ed665365838e5f15dff9c5b3e74.exe
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	09768ed665365838e5f15dff9c5b3e74.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1052	schtasks.exe
4932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
916	09768ed665365838e5f15dff9c5b3e74.exe
916	09768ed665365838e5f15dff9c5b3e74.exe
916	09768ed665365838e5f15dff9c5b3e74.exe
916	09768ed665365838e5f15dff9c5b3e74.exe
916	09768ed665365838e5f15dff9c5b3e74.exe
916	09768ed665365838e5f15dff9c5b3e74.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
916	09768ed665365838e5f15dff9c5b3e74.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	09768ed665365838e5f15dff9c5b3e74.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1052	916	09768ed665365838e5f15dff9c5b3e74.exe	88
PID 916 wrote to memory of 1052	916	09768ed665365838e5f15dff9c5b3e74.exe	88
PID 916 wrote to memory of 1052	916	09768ed665365838e5f15dff9c5b3e74.exe	88
PID 916 wrote to memory of 4932	916	09768ed665365838e5f15dff9c5b3e74.exe	90
PID 916 wrote to memory of 4932	916	09768ed665365838e5f15dff9c5b3e74.exe	90
PID 916 wrote to memory of 4932	916	09768ed665365838e5f15dff9c5b3e74.exe	90

C:\Users\Admin\AppData\Local\Temp\09768ed665365838e5f15dff9c5b3e74.exe
"C:\Users\Admin\AppData\Local\Temp\09768ed665365838e5f15dff9c5b3e74.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4978.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1052
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4BDA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4978.tmp

Filesize
1KB

MD5
48e5cc7cf5299cff58af1fdea13e87b8

SHA1
7a4742103c1982099cb3410848033b9f8615ac71

SHA256
1db2ec327b2905d2e7986c1b3282a0a56b0ff4b67e88dcc806298bdc277feda2

SHA512
8d0c7710596cd1766af3be31b150dc90d43f48689db4533e638ac9af0606018807a8f94447c4c3548a2231c2493feb797bed4ab7be6afea5c9f3c86d18afc264

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BDA.tmp

Filesize
1KB

MD5
c4aecdef99eba873119e79616df3f4b0

SHA1
b1b3af52655fb633eed909dfed05b64fbbfac37c

SHA256
24fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b

SHA512
e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4

Download Submit
memory/916-0-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/916-1-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/916-2-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/916-3-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/916-4-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/916-12-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/916-13-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads