nanocore | 24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9

General

Target

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe
Size

210KB
MD5

1002cd31a32e3ab901cbd5f4afc1efaf
SHA1

dc59f97c84e998d88590443d08cb86fe5feb359a
SHA256

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9
SHA512

e3a1e7877ecf7621490c0d432a00ae96d43b927dc52367f1bba8b5035ab0f59728a7636dd15ffa6fc861678415c9a6842798070dc8b6a599f54f6362859fd8b6
SSDEEP

3072:xzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIavHUuxT/++/FjsgUU/KnYQMe:xLV6Bta6dtJmakIM5X+onU9nYdeCUku

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe"	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

Drops file in Program Files directory 2 IoCs

Processes:

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Service\dpisvc.exe	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe
File opened for modification	C:\Program Files (x86)\DPI Service\dpisvc.exe	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3192 schtasks.exe
2044 schtasks.exe

pid	process
3192	schtasks.exe
2044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

pid	process
4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe
4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe
4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

pid process

4564 24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

description	pid	process
Token: SeDebugPrivilege	4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe
Token: SeDebugPrivilege	4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe

description	pid	process	target process
PID 4564 wrote to memory of 3192	4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe	schtasks.exe
PID 4564 wrote to memory of 3192	4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe	schtasks.exe
PID 4564 wrote to memory of 3192	4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe	schtasks.exe
PID 4564 wrote to memory of 2044	4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe	schtasks.exe
PID 4564 wrote to memory of 2044	4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe	schtasks.exe
PID 4564 wrote to memory of 2044	4564	24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe
"C:\Users\Admin\AppData\Local\Temp\24325cbcf17f7cee501cd2e6471d22d9cc0cc040afbcbda36da545459111c1a9.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp35E5.tmp"
2⤵
- Creates scheduled task(s)
PID:3192

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3643.tmp"
2⤵
- Creates scheduled task(s)
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp35E5.tmp
Filesize
1KB

MD5
015ab22866fd244cf3ae136add9a41ab

SHA1
0892bf0f25eee09ef70ebd4673fa962d0f1139df

SHA256
cc86901f9e79fdd40a53215daaa55d32d1151be3a5e6741bde2265b19ab536f3

SHA512
01729b6ceeb8c7e3e421cc806cf61051740d4d20bc0c43eace5f0ad298f8788d69db0ea749ea9010948f9e54cd34c9bbd3b8c149dd951e9a62c4ce29e42e462b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3643.tmp
Filesize
1KB

MD5
0d6d94a917c4ce63da6bc50cbbe0dc5d

SHA1
599564f60649f3f4c14478e9cb184000d4280a61

SHA256
e82a4b8311319f1b68cb06ae5b670e97a11c467b1bdb0ebf130f523bf98ca522

SHA512
23ac6a088e2a1df3d75d2aca17cdcc5a4147b966758e4acc4d904293f4693f362db637d8135edd670e158bec77e788e915f2a55042a2f1aec09a4679bc749412

Download Submit
memory/4564-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/4564-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-10-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-11-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-12-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/4564-13-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-14-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads