nanocore | 1be5176e2bdc3b3434e8dc95c902e0cfaaaf7a23fc8203b413effc121011ad30

Analysis

max time kernel
122s
max time network
149s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23/06/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sd.exe
Size

203KB
MD5

cb57bb7b429df360f87e1e83566ff9a7
SHA1

8d03c9d0b486d0fcd2e271e0902039cdb0480705
SHA256

1be5176e2bdc3b3434e8dc95c902e0cfaaaf7a23fc8203b413effc121011ad30
SHA512

1859e20474b69aa658f723c08c6543505ebe1843d1b6eee401fb7688821485397e5d20b7589be81d4f0ad7071120be6b9595bfe82e096c85126dc282472f47b8
SSDEEP

6144:sLV6Bta6dtJmakIM5O/Uj1i3VmcHhyT9O+PjmdR/Fyr:sLV6BtpmkV/UJilzHhUO+yd6

Score

10^/10

nanocore collection evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2648-27-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2648-25-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2648-28-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2648-31-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/memory/2648-27-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2648-25-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2648-28-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2648-31-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe"	sd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 2648	3000	sd.exe	34
PID 3000 set thread context of 2904	3000	sd.exe	35

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DOS Manager\dosmgr.exe	sd.exe
File opened for modification	C:\Program Files (x86)\DOS Manager\dosmgr.exe	sd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1580	schtasks.exe
2408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3000	sd.exe
3000	sd.exe
3000	sd.exe
3000	sd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3000	sd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	sd.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1580	3000	sd.exe	28
PID 3000 wrote to memory of 1580	3000	sd.exe	28
PID 3000 wrote to memory of 1580	3000	sd.exe	28
PID 3000 wrote to memory of 1580	3000	sd.exe	28
PID 3000 wrote to memory of 2408	3000	sd.exe	30
PID 3000 wrote to memory of 2408	3000	sd.exe	30
PID 3000 wrote to memory of 2408	3000	sd.exe	30
PID 3000 wrote to memory of 2408	3000	sd.exe	30
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2648	3000	sd.exe	34
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35
PID 3000 wrote to memory of 2904	3000	sd.exe	35

C:\Users\Admin\AppData\Local\Temp\sd.exe
"C:\Users\Admin\AppData\Local\Temp\sd.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp944.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1580
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2408
- \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\yvzgduvx.yya"
  2⤵
  - Accesses Microsoft Outlook accounts
  PID:2648
- \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\paun2wqs.hse"
  2⤵
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\paun2wqs.hse

Filesize
926B

MD5
919e671c3d5959a91ef2d4c377d2b2ff

SHA1
b1202b19512bbd390d3d5164792501c87bb42c41

SHA256
d2e079df7cf6388315368ba79bf099ad2ff5428af51bf5abf2d99a2d7c5eb651

SHA512
f3298256372beab8efe81b2e08d3b3869281f625de1ee13189c6b95eb2134d223df6f64cc9e490dd6b52a53aa936adc17bd5dfe4e50ee0fe420f3ebae276381c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp944.tmp

Filesize
1KB

MD5
f7d890eac080bcc878916c23c4b34c3d

SHA1
efa80352399bfd5c91b958dbc45228560e3a2b7e

SHA256
a7c1ea9b3651907399af17cb4bbaa5696b6a4f0bdcb04640842fa7af3bf0a670

SHA512
a03dfd061d8fe7d01333fbdc641a92d9daa56dd21758ce788ea3a5114de16fcc37acd5f7bb0aaad5b23dc74c50ce51ab80603f429bd61292d81497ce68287085

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp

Filesize
1KB

MD5
8f5713b14cee3089852f6c8d2a7a7d57

SHA1
8bffbea05715c6434ad593cce8a2c737f80ff788

SHA256
ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c

SHA512
82bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvzgduvx.yya

Filesize
523B

MD5
69b2a2e17e78d24abee9f1de2f04811a

SHA1
d19c109704e83876ab3527457f9418a7d053aa33

SHA256
1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd

SHA512
eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

Download Submit
memory/2648-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2904-44-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-34-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-35-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-42-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-38-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3000-13-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-2-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-0-0x0000000074191000-0x0000000074192000-memory.dmp

Filesize
4KB

Download
memory/3000-1-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download