nanocore | 83070a1a3fac8ef5f5252ee67fdfae8cb04fec50d54ebb7674a154e28066ac51

General

Target

1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe
Size

203KB
MD5

1e10fb4210d2aa88ac9cc655525838d0
SHA1

528f5d59b9a1d560092eaf64328d020f5840f987
SHA256

83070a1a3fac8ef5f5252ee67fdfae8cb04fec50d54ebb7674a154e28066ac51
SHA512

91d4055d321ab585bc652b25eb47cffb43930310302152bd0f4b39817818c97d3efe00fe39582d4c26644e1990acbecbf64ba37898a81edede8a52737c386ef3
SSDEEP

3072:UzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HItWE9teJPqnXjTA9LWTbg9A:ULV6Bta6dtJmakIM5BETe5qnXjct2E+

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files\\NTFS Monitor\\ntfsmon.exe"	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

Processes:

1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\NTFS Monitor\ntfsmon.exe	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\NTFS Monitor\ntfsmon.exe	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1208 schtasks.exe
2648 schtasks.exe

pid	process
1208	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

pid	process
2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe
2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe
2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

pid process

2228 1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2228 1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe

description	pid	process	target process
PID 2228 wrote to memory of 1208	2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe	schtasks.exe
PID 2228 wrote to memory of 1208	2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe	schtasks.exe
PID 2228 wrote to memory of 1208	2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe	schtasks.exe
PID 2228 wrote to memory of 2648	2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe	schtasks.exe
PID 2228 wrote to memory of 2648	2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe	schtasks.exe
PID 2228 wrote to memory of 2648	2228	1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e10fb4210d2aa88ac9cc655525838d0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1BBB.tmp"
2⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1CF4.tmp"
2⤵
- Creates scheduled task(s)
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1BBB.tmp
Filesize
1KB

MD5
eeb7850b938c3c5cf109ff9b39111c2a

SHA1
58d28dac7369b337157b9517af8a1314775474bb

SHA256
ce1e8e36b0d6f58894302cb2dd70f8c3bb973602850d8809dd419ffb0cf12f8d

SHA512
40b14ab3767faee8583964c7810cf9e631796119dce17b07ca61a72a4aa7ba37339285400a09f88f8d42c1b7635cde4b7d0c6cc37560be7508b1cab26ba14867

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CF4.tmp
Filesize
1KB

MD5
5f5e99c9ab761ddb08b6f1dece87c986

SHA1
45d8b3b48ae347fc5682985f768a630f09e09cda

SHA256
c638f2188334c1a930d7298bd878f72707373034b9ba5af3c911bec5784c2368

SHA512
6dc4d72c57e18cf997d21465ecc3d4f7fc4a95d5d52f24742e3a38c3089d23b8b8a3524016194c0462c878eba98a47cb32771ed3d0fb81d71be9c9608964f2f0

Download Submit
memory/2228-13-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-14-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-1-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-10-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/2228-11-0x0000000000A50000-0x0000000000A6E000-memory.dmp

Filesize
120KB

Download
memory/2228-12-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/2228-0-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

Filesize
4KB

Download
memory/2228-2-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-15-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-16-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-17-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

Filesize
4KB

Download
memory/2228-18-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-20-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-19-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-21-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-22-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads