nanocore | 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0

General

Target

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
Size

203KB
MD5

07d9144c3b3cfe44c24f850a74faaacc
SHA1

1df82c6dbe192d9f78e137bb96c499fd5f0c93a5
SHA256

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0
SHA512

39120f944f46dfa34f0d4a2e59a9bdb74a76d9f69b55c054969a96666b0366651bcc2a0ab4a48f3243a2046e961f43fba5e13d5b04248eeae0f86b7428133584
SSDEEP

6144:sLV6Bta6dtJmakIM51O3JM1fMKQqa7FPp0k4v:sLV6BtpmkBGpC78v

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Manager = "C:\\Program Files (x86)\\LAN Manager\\lanmgr.exe"	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

Processes:

flow	ioc
11	0.tcp.eu.ngrok.io
268	0.tcp.eu.ngrok.io
276	0.tcp.eu.ngrok.io
240	0.tcp.eu.ngrok.io
122	0.tcp.eu.ngrok.io
132	0.tcp.eu.ngrok.io
205	0.tcp.eu.ngrok.io
95	0.tcp.eu.ngrok.io
169	0.tcp.eu.ngrok.io
183	0.tcp.eu.ngrok.io
29	0.tcp.eu.ngrok.io
291	0.tcp.eu.ngrok.io
53	0.tcp.eu.ngrok.io
149	0.tcp.eu.ngrok.io
160	0.tcp.eu.ngrok.io
224	0.tcp.eu.ngrok.io
251	0.tcp.eu.ngrok.io
68	0.tcp.eu.ngrok.io
126	0.tcp.eu.ngrok.io
136	0.tcp.eu.ngrok.io
178	0.tcp.eu.ngrok.io
232	0.tcp.eu.ngrok.io
44	0.tcp.eu.ngrok.io
114	0.tcp.eu.ngrok.io
118	0.tcp.eu.ngrok.io
197	0.tcp.eu.ngrok.io
245	0.tcp.eu.ngrok.io
261	0.tcp.eu.ngrok.io
64	0.tcp.eu.ngrok.io
84	0.tcp.eu.ngrok.io
191	0.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Manager\lanmgr.exe	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
File opened for modification	C:\Program Files (x86)\LAN Manager\lanmgr.exe	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

740 schtasks.exe
4944 schtasks.exe

pid	process
740	schtasks.exe
4944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

pid	process
2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

pid process

2724 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description pid process

Token: SeDebugPrivilege 2724 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	pid	process
Token: SeDebugPrivilege	2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

description	pid	process	target process
PID 2724 wrote to memory of 740	2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 2724 wrote to memory of 740	2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 2724 wrote to memory of 740	2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 2724 wrote to memory of 4944	2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 2724 wrote to memory of 4944	2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe
PID 2724 wrote to memory of 4944	2724	4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
"C:\Users\Admin\AppData\Local\Temp\4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp54D7.tmp"
2⤵
- Creates scheduled task(s)
PID:740

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5545.tmp"
2⤵
- Creates scheduled task(s)
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54D7.tmp
Filesize
1KB

MD5
9913e267519b245bd05576cd155e618b

SHA1
f9988cc21222e156d8df51cc1c67ff394e0baa9a

SHA256
db8d12fa91ed89d361af77401bd08785c5b7d538627fe2591c69ad675daee81d

SHA512
fec48c5fec8a03bc55ff319580a512fcbe476d309cfb4dc8563f3cf5266a68418b8a200a2e6f0fb1131c936f6a9d79cdb0ba72e6f225c36921c6188021acd882

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5545.tmp
Filesize
1KB

MD5
d7e9b664af56ade4d18b0b895f9ae715

SHA1
f16f53d11622da2103a9005b5ff1ab9ca799982f

SHA256
60f5742e0f45b4e9a63aef570028deb0e82be84f51e1d280643961f05c516c33

SHA512
5caff8477b1ba3e3832fc5783dca09670e251ea3d3f9753bf8862776a8595697bf3870b47bc64de2d1f358205fb90288ca2871da5e81adad79766522616c3ec6

Download Submit
memory/2724-0-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2724-1-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2724-2-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/2724-10-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/2724-11-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2724-12-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2724-13-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads