nanocore | 505d76702345bc95a07e30c9d7c57bb700e98124141d14b336e8d5c5e3e5c296

General

Target

holf.exe
Size

884KB
MD5

912d6c88f475bb275629201d52ae0ae6
SHA1

3e64f86e98787997c98b98039bb491fa613e79cc
SHA256

6b8e10fb6b6aa647c8c0ba181184d950e9f47ca6753213fc96b1b3ec18409f93
SHA512

c8362c522e556166cc018800f721c8c4c3067d51209063f91424fbaf249b36441fc69e2556ee9b94cb7c0a6eee82d51b6105c3fa1a8148a98446e1a7e368d254
SSDEEP

24576:rmoO8itEqfZng7cw8lSQzuQM9saXICbmyX97i:qvZScwKSQzrM9ZzfN7i

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

holf.exeexcel.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	holf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	excel.sfx.exe

Executes dropped EXE 2 IoCs

Processes:

excel.sfx.exeexcel.exe

pid process

2032 excel.sfx.exe
1796 excel.exe

pid	process
2032	excel.sfx.exe
1796	excel.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

excel.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files\\DDP Host\\ddphost.exe"	excel.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

excel.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA excel.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	excel.exe

Drops file in Program Files directory 2 IoCs

Processes:

excel.exe

description	ioc	process
File created	C:\Program Files\DDP Host\ddphost.exe	excel.exe
File opened for modification	C:\Program Files\DDP Host\ddphost.exe	excel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

excel.exe

pid process

1796 excel.exe
1796 excel.exe
1796 excel.exe
1796 excel.exe
1796 excel.exe
1796 excel.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

excel.exe

pid process

1796 excel.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

excel.exe

description pid process

Token: SeDebugPrivilege 1796 excel.exe

pid	process
1796	excel.exe
1796	excel.exe
1796	excel.exe
1796	excel.exe
1796	excel.exe
1796	excel.exe

pid	process
1796	excel.exe

description	pid	process
Token: SeDebugPrivilege	1796	excel.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

holf.execmd.exeexcel.sfx.exe

description	pid	process	target process
PID 1300 wrote to memory of 3208	1300	holf.exe	cmd.exe
PID 1300 wrote to memory of 3208	1300	holf.exe	cmd.exe
PID 1300 wrote to memory of 3208	1300	holf.exe	cmd.exe
PID 3208 wrote to memory of 2032	3208	cmd.exe	excel.sfx.exe
PID 3208 wrote to memory of 2032	3208	cmd.exe	excel.sfx.exe
PID 3208 wrote to memory of 2032	3208	cmd.exe	excel.sfx.exe
PID 2032 wrote to memory of 1796	2032	excel.sfx.exe	excel.exe
PID 2032 wrote to memory of 1796	2032	excel.sfx.exe	excel.exe

C:\Users\Admin\AppData\Local\Temp\holf.exe
"C:\Users\Admin\AppData\Local\Temp\holf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\RarSFX0\excel.sfx.exe
excel.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\excel.sfx.exe
Filesize
757KB

MD5
a0b5f08cd959d1e068179e1d6889710f

SHA1
e26ac168101697f1660990cfacbad48da4225e04

SHA256
e9b5abcd2b8ea76a1e8632156689bd234ddfb0b5be2674b72a17be5b62dcebe2

SHA512
7dad1ac11f01c2ed7982f79e891a5b7f07daf6ec126a7a04e0b67681ec08c136f260bdf88e71e319a7285efb4c5fec902c00d5801e7b606e7334c2d4ac5b7aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdd.bat
Filesize
28B

MD5
f0b6f875f327f542118e2416f8259a13

SHA1
3edb59643d2be4f440aa9216c1a4ec52a972b8de

SHA256
48b03ca255d2246d388cce7df6cf578303485d5acfe53e9ca7038ff518a3be01

SHA512
f3a0191c5d34fa0771e6ad053a046a3b3d0cec5f61a82281bffe309258d74599534afbd814bb397b619e6033e59b2dc372112cbbcb92cb6ecfd74ce4481bb2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe
Filesize
552KB

MD5
3a8ea73b34b33345474770c83cc825ae

SHA1
d50ce020098b23149d354ee1c4e6ed742ace11fd

SHA256
2b0196abbdb448cdde45f9bc9bce3c879f39ff3783ce375a7a6a1ce4130025f1

SHA512
9cbdb8c16fb4595c44434351ae4df8bbbb137dce51e041df8fdbfee031a199d040e6385ea8b93421908b46799a52fbda660ff08f457f536bd511957c5a22b145

Download Submit
memory/1796-32-0x000000001CF80000-0x000000001CF8E000-memory.dmp

Filesize
56KB

Download
memory/1796-30-0x000000001C7C0000-0x000000001C7D2000-memory.dmp

Filesize
72KB

Download
memory/1796-21-0x000000001C340000-0x000000001C3DC000-memory.dmp

Filesize
624KB

Download
memory/1796-22-0x000000001C590000-0x000000001C636000-memory.dmp

Filesize
664KB

Download
memory/1796-23-0x00000000013E0000-0x00000000013E8000-memory.dmp

Filesize
32KB

Download
memory/1796-26-0x000000001C8E0000-0x000000001C8EA000-memory.dmp

Filesize
40KB

Download
memory/1796-27-0x000000001C7B0000-0x000000001C7C2000-memory.dmp

Filesize
72KB

Download
memory/1796-28-0x000000001CF50000-0x000000001CF6A000-memory.dmp

Filesize
104KB

Download
memory/1796-29-0x000000001C680000-0x000000001C68E000-memory.dmp

Filesize
56KB

Download
memory/1796-19-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/1796-31-0x000000001C860000-0x000000001C86C000-memory.dmp

Filesize
48KB

Download
memory/1796-20-0x000000001BE70000-0x000000001C33E000-memory.dmp

Filesize
4.8MB

Download
memory/1796-33-0x000000001CF90000-0x000000001CFA4000-memory.dmp

Filesize
80KB

Download
memory/1796-34-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/1796-36-0x000000001C870000-0x000000001C87E000-memory.dmp

Filesize
56KB

Download
memory/1796-37-0x000000001CFA0000-0x000000001CFBE000-memory.dmp

Filesize
120KB

Download
memory/1796-35-0x000000001C6A0000-0x000000001C6B4000-memory.dmp

Filesize
80KB

Download
memory/1796-38-0x000000001CF70000-0x000000001CF7A000-memory.dmp

Filesize
40KB

Download
memory/1796-40-0x000000001D130000-0x000000001D144000-memory.dmp

Filesize
80KB

Download
memory/1796-39-0x000000001D100000-0x000000001D12E000-memory.dmp

Filesize
184KB

Download
memory/1796-41-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads