nanocore | 0e17b2b81b13338e415d95d444bc02767e82880de035443efb9383655e0a8b6e

General

Target

Hacked.exe
Size

158KB
MD5

6a2bc643b402f2e4a2dabe7f0cf035c2
SHA1

01dba3b4359648405fc0e4e0194f7ca324fbb9c5
SHA256

0c05271eb12acf9261961a88e5967efb9be04a76b3f6ba9d23bc911b519675c4
SHA512

772f64a7567de9990b5489189879635bef3df82f193f639f6b6c95bb769d2a4208a259f0e3702e69221e99f3b39618c678e7d3a6bd2b5f4573e2a88e7bfed57e
SSDEEP

3072:u5Pto80z+vFMCnOzS9FL9sGR2uRyR7QPMtdVi3x5I+0Wif2XpdcZzobRfpNJ:uM80mniiLU7QPerK0Wif2XpyoN7J

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hacked.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AGP Host = "C:\\Program Files\\AGP Host\\agphost.exe"	Hacked.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Hacked.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hacked.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hacked.exe

Drops file in Program Files directory 2 IoCs

Processes:

Hacked.exe

description	ioc	process
File created	C:\Program Files\AGP Host\agphost.exe	Hacked.exe
File opened for modification	C:\Program Files\AGP Host\agphost.exe	Hacked.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

664 schtasks.exe
884 schtasks.exe

pid	process
664	schtasks.exe
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

Hacked.exe

pid	process
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe
3428	Hacked.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Hacked.exe

pid process

3428 Hacked.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Hacked.exe

description pid process

Token: SeDebugPrivilege 3428 Hacked.exe

description	pid	process
Token: SeDebugPrivilege	3428	Hacked.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Hacked.exe

description	pid	process	target process
PID 3428 wrote to memory of 664	3428	Hacked.exe	schtasks.exe
PID 3428 wrote to memory of 664	3428	Hacked.exe	schtasks.exe
PID 3428 wrote to memory of 884	3428	Hacked.exe	schtasks.exe
PID 3428 wrote to memory of 884	3428	Hacked.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Hacked.exe
"C:\Users\Admin\AppData\Local\Temp\Hacked.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8B0A.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8B68.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8B0A.tmp
Filesize
1KB

MD5
8167516eff07a6693d5d6077b0508ec9

SHA1
ac602f80bd3b26b3026134bfdf30ceb61feee90f

SHA256
578855e1bae9d5aff5ce490d3f0201210bb5519f4694611a2343005c31e9d135

SHA512
6e25ef218fdcb1d686d1faeef4baa97245c9f4398807261ea6f6329d0fde769094287236f57b1bc6d3b51f74a36173f8a75eff7099c266aac3e3537a7ce30cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B68.tmp
Filesize
1KB

MD5
f43460c8b71a53f8b4093eb35248269b

SHA1
de0e0bd04c7d101bab29c9df85ce45ab891775db

SHA256
ab211385f33ff62eb4dbae164af50c0427fe7100b0129febd2d931c7701af33e

SHA512
d0bec9a46b8fc7bcc5d36ba8efa6ea77ca95cd871b7775fe117f8741a7f75558aa91013148c83ab5dea4b79bd52257dc502d83f90ae71e9bbd1f525b28d2aaa8

Download Submit
memory/3428-15-0x000000001D570000-0x000000001D588000-memory.dmp

Filesize
96KB

Download
memory/3428-16-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-4-0x000000001CBD0000-0x000000001CC76000-memory.dmp

Filesize
664KB

Download
memory/3428-5-0x00000000018D0000-0x00000000018D8000-memory.dmp

Filesize
32KB

Download
memory/3428-6-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-2-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-1-0x000000001C4B0000-0x000000001C97E000-memory.dmp

Filesize
4.8MB

Download
memory/3428-14-0x000000001D2E0000-0x000000001D2EC000-memory.dmp

Filesize
48KB

Download
memory/3428-0-0x00007FF9C6805000-0x00007FF9C6806000-memory.dmp

Filesize
4KB

Download
memory/3428-3-0x000000001C980000-0x000000001CA1C000-memory.dmp

Filesize
624KB

Download
memory/3428-17-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-18-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-19-0x00007FF9C6805000-0x00007FF9C6806000-memory.dmp

Filesize
4KB

Download
memory/3428-20-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-21-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-22-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-23-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download
memory/3428-24-0x00007FF9C6550000-0x00007FF9C6EF1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads