nanocore | 0e17b2b81b13338e415d95d444bc02767e82880de035443efb9383655e0a8b6e

General

Target

Hacked.exe
Size

158KB
MD5

6a2bc643b402f2e4a2dabe7f0cf035c2
SHA1

01dba3b4359648405fc0e4e0194f7ca324fbb9c5
SHA256

0c05271eb12acf9261961a88e5967efb9be04a76b3f6ba9d23bc911b519675c4
SHA512

772f64a7567de9990b5489189879635bef3df82f193f639f6b6c95bb769d2a4208a259f0e3702e69221e99f3b39618c678e7d3a6bd2b5f4573e2a88e7bfed57e
SSDEEP

3072:u5Pto80z+vFMCnOzS9FL9sGR2uRyR7QPMtdVi3x5I+0Wif2XpdcZzobRfpNJ:uM80mniiLU7QPerK0Wif2XpyoN7J

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hacked.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files\\TCP Subsystem\\tcpss.exe"	Hacked.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Hacked.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hacked.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hacked.exe

Drops file in Program Files directory 2 IoCs

Processes:

Hacked.exe

description	ioc	process
File created	C:\Program Files\TCP Subsystem\tcpss.exe	Hacked.exe
File opened for modification	C:\Program Files\TCP Subsystem\tcpss.exe	Hacked.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1936 schtasks.exe
1708 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Hacked.exe

pid process

3024 Hacked.exe
3024 Hacked.exe
3024 Hacked.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Hacked.exe

pid process

3024 Hacked.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Hacked.exe

description pid process

Token: SeDebugPrivilege 3024 Hacked.exe

pid	process
1936	schtasks.exe
1708	schtasks.exe

pid	process
3024	Hacked.exe
3024	Hacked.exe
3024	Hacked.exe

pid	process
3024	Hacked.exe

description	pid	process
Token: SeDebugPrivilege	3024	Hacked.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Hacked.exe

description	pid	process	target process
PID 3024 wrote to memory of 1936	3024	Hacked.exe	schtasks.exe
PID 3024 wrote to memory of 1936	3024	Hacked.exe	schtasks.exe
PID 3024 wrote to memory of 1936	3024	Hacked.exe	schtasks.exe
PID 3024 wrote to memory of 1708	3024	Hacked.exe	schtasks.exe
PID 3024 wrote to memory of 1708	3024	Hacked.exe	schtasks.exe
PID 3024 wrote to memory of 1708	3024	Hacked.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Hacked.exe
"C:\Users\Admin\AppData\Local\Temp\Hacked.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C1.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD4B.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9C1.tmp
Filesize
1KB

MD5
8167516eff07a6693d5d6077b0508ec9

SHA1
ac602f80bd3b26b3026134bfdf30ceb61feee90f

SHA256
578855e1bae9d5aff5ce490d3f0201210bb5519f4694611a2343005c31e9d135

SHA512
6e25ef218fdcb1d686d1faeef4baa97245c9f4398807261ea6f6329d0fde769094287236f57b1bc6d3b51f74a36173f8a75eff7099c266aac3e3537a7ce30cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD4B.tmp
Filesize
1KB

MD5
7cfb960d851ba285bcfe293ac19d0c83

SHA1
091635b35aa2addaa0aa0c95830d7e091bdb89f7

SHA256
fc380c675fa266ba5b6a9c9b3a4b7f11c0433e59cccfdf582a0ff9b6e0069e35

SHA512
de17c74f22b0ae1f4f0a8668bdc66ea39172b246d9cfbe76845832db345990e43dc7d38201917520b1a1dff14991a9dea7db3d8ef2e5cfda13a60d67906b39fe

Download Submit
memory/3024-11-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/3024-3-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3024-2-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3024-1-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3024-0-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp

Filesize
4KB

Download
memory/3024-12-0x0000000000E70000-0x0000000000E88000-memory.dmp

Filesize
96KB

Download
memory/3024-13-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3024-14-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3024-15-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3024-16-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp

Filesize
4KB

Download
memory/3024-17-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3024-18-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3024-19-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads