nanocore | 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0

General

Target

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
Size

203KB
MD5

07d9144c3b3cfe44c24f850a74faaacc
SHA1

1df82c6dbe192d9f78e137bb96c499fd5f0c93a5
SHA256

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0
SHA512

39120f944f46dfa34f0d4a2e59a9bdb74a76d9f69b55c054969a96666b0366651bcc2a0ab4a48f3243a2046e961f43fba5e13d5b04248eeae0f86b7428133584
SSDEEP

6144:sLV6Bta6dtJmakIM51O3JM1fMKQqa7FPp0k4v:sLV6BtpmkBGpC78v

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

Processes:

flow	ioc
79	0.tcp.eu.ngrok.io
115	0.tcp.eu.ngrok.io
169	0.tcp.eu.ngrok.io
66	0.tcp.eu.ngrok.io
175	0.tcp.eu.ngrok.io
177	0.tcp.eu.ngrok.io
179	0.tcp.eu.ngrok.io
109	0.tcp.eu.ngrok.io
151	0.tcp.eu.ngrok.io
171	0.tcp.eu.ngrok.io
106	0.tcp.eu.ngrok.io
122	0.tcp.eu.ngrok.io
140	0.tcp.eu.ngrok.io
142	0.tcp.eu.ngrok.io
52	0.tcp.eu.ngrok.io
137	0.tcp.eu.ngrok.io
146	0.tcp.eu.ngrok.io
173	0.tcp.eu.ngrok.io
113	0.tcp.eu.ngrok.io
104	0.tcp.eu.ngrok.io
111	0.tcp.eu.ngrok.io
149	0.tcp.eu.ngrok.io
41	0.tcp.eu.ngrok.io
159	0.tcp.eu.ngrok.io
166	0.tcp.eu.ngrok.io
153	0.tcp.eu.ngrok.io
90	0.tcp.eu.ngrok.io
100	0.tcp.eu.ngrok.io
128	0.tcp.eu.ngrok.io
131	0.tcp.eu.ngrok.io
11	0.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3564 schtasks.exe
4008 schtasks.exe

pid	process
3564	schtasks.exe
4008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

pid	process
4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

pid process

4464 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description pid process

Token: SeDebugPrivilege 4464 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	pid	process
Token: SeDebugPrivilege	4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	pid	process	target process
PID 4464 wrote to memory of 3564	4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 4464 wrote to memory of 3564	4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 4464 wrote to memory of 3564	4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 4464 wrote to memory of 4008	4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 4464 wrote to memory of 4008	4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 4464 wrote to memory of 4008	4464	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
"C:\Users\Admin\AppData\Local\Temp\4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp36CF.tmp"
2⤵
- Creates scheduled task(s)
PID:3564

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp371E.tmp"
2⤵
- Creates scheduled task(s)
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp36CF.tmp
Filesize
1KB

MD5
9913e267519b245bd05576cd155e618b

SHA1
f9988cc21222e156d8df51cc1c67ff394e0baa9a

SHA256
db8d12fa91ed89d361af77401bd08785c5b7d538627fe2591c69ad675daee81d

SHA512
fec48c5fec8a03bc55ff319580a512fcbe476d309cfb4dc8563f3cf5266a68418b8a200a2e6f0fb1131c936f6a9d79cdb0ba72e6f225c36921c6188021acd882

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp371E.tmp
Filesize
1KB

MD5
c4aecdef99eba873119e79616df3f4b0

SHA1
b1b3af52655fb633eed909dfed05b64fbbfac37c

SHA256
24fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b

SHA512
e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4

Download Submit
memory/4464-0-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4464-1-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4464-2-0x00000000019B0000-0x00000000019C0000-memory.dmp

Filesize
64KB

Download
memory/4464-10-0x00000000019B0000-0x00000000019C0000-memory.dmp

Filesize
64KB

Download
memory/4464-11-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4464-12-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4464-13-0x00000000019B0000-0x00000000019C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads