nanocore | 30391802bc27853f0c27a3e901d6ec917b39d4735fa9d7dd8c04b5d491ffa442

Analysis

max time kernel
170s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8f06060ef69fb1be7f9ba55a5f69073.exe
Size

214KB
MD5

b8f06060ef69fb1be7f9ba55a5f69073
SHA1

6969748250c95ca3d6e6302d69c510b5d2dae992
SHA256

30391802bc27853f0c27a3e901d6ec917b39d4735fa9d7dd8c04b5d491ffa442
SHA512

dcceb16b902c60250a73175c51684d2f71a70d227594a10fde50f76a7be6e238ed6904766239b8739091705989b633bf68f0152cb45b376fd9030c58a9e1a164
SSDEEP

3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIq9f:wLV6Bta6dtJmakIM5pf

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Manager = "C:\\Program Files (x86)\\ARP Manager\\arpmgr.exe"	b8f06060ef69fb1be7f9ba55a5f69073.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b8f06060ef69fb1be7f9ba55a5f69073.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ARP Manager\arpmgr.exe	b8f06060ef69fb1be7f9ba55a5f69073.exe
File opened for modification	C:\Program Files (x86)\ARP Manager\arpmgr.exe	b8f06060ef69fb1be7f9ba55a5f69073.exe

C:\Users\Admin\AppData\Local\Temp\b8f06060ef69fb1be7f9ba55a5f69073.exe
"C:\Users\Admin\AppData\Local\Temp\b8f06060ef69fb1be7f9ba55a5f69073.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-0-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1220-1-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/1220-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1220-5-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/1220-6-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1220-7-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/1220-8-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads