nanocore | 0e17b2b81b13338e415d95d444bc02767e82880de035443efb9383655e0a8b6e

General

Target

Hacked.exe
Size

158KB
MD5

6a2bc643b402f2e4a2dabe7f0cf035c2
SHA1

01dba3b4359648405fc0e4e0194f7ca324fbb9c5
SHA256

0c05271eb12acf9261961a88e5967efb9be04a76b3f6ba9d23bc911b519675c4
SHA512

772f64a7567de9990b5489189879635bef3df82f193f639f6b6c95bb769d2a4208a259f0e3702e69221e99f3b39618c678e7d3a6bd2b5f4573e2a88e7bfed57e
SSDEEP

3072:u5Pto80z+vFMCnOzS9FL9sGR2uRyR7QPMtdVi3x5I+0Wif2XpdcZzobRfpNJ:uM80mniiLU7QPerK0Wif2XpyoN7J

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hacked.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCI Host = "C:\\Program Files\\PCI Host\\pcihost.exe"	Hacked.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Hacked.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hacked.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hacked.exe

Drops file in Program Files directory 2 IoCs

Processes:

Hacked.exe

description	ioc	process
File created	C:\Program Files\PCI Host\pcihost.exe	Hacked.exe
File opened for modification	C:\Program Files\PCI Host\pcihost.exe	Hacked.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1544 schtasks.exe
2812 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Hacked.exe

pid process

3624 Hacked.exe
3624 Hacked.exe
3624 Hacked.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Hacked.exe

pid process

3624 Hacked.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Hacked.exe

description pid process

Token: SeDebugPrivilege 3624 Hacked.exe

pid	process
1544	schtasks.exe
2812	schtasks.exe

pid	process
3624	Hacked.exe
3624	Hacked.exe
3624	Hacked.exe

pid	process
3624	Hacked.exe

description	pid	process
Token: SeDebugPrivilege	3624	Hacked.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Hacked.exe

description	pid	process	target process
PID 3624 wrote to memory of 2812	3624	Hacked.exe	schtasks.exe
PID 3624 wrote to memory of 2812	3624	Hacked.exe	schtasks.exe
PID 3624 wrote to memory of 1544	3624	Hacked.exe	schtasks.exe
PID 3624 wrote to memory of 1544	3624	Hacked.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Hacked.exe
"C:\Users\Admin\AppData\Local\Temp\Hacked.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp91D0.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9636.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp91D0.tmp

Filesize
1KB

MD5
8167516eff07a6693d5d6077b0508ec9

SHA1
ac602f80bd3b26b3026134bfdf30ceb61feee90f

SHA256
578855e1bae9d5aff5ce490d3f0201210bb5519f4694611a2343005c31e9d135

SHA512
6e25ef218fdcb1d686d1faeef4baa97245c9f4398807261ea6f6329d0fde769094287236f57b1bc6d3b51f74a36173f8a75eff7099c266aac3e3537a7ce30cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9636.tmp

Filesize
1KB

MD5
e334ffb7d6d9009b3bd887c563cffba8

SHA1
c3e8f005103703994fdeae2dbe2eb163847f0263

SHA256
93d5b6cab5bc08b28baec26ba7a6788768d9bdc80046726948f89d31ba827c16

SHA512
d0c8101083bc7a491d2d7dcf0127b56c06bd15c319e4fe8c99e2f9833d8a926bd15a0b9aa7a0ffe41d93b4bb87b1a61d098c292d640be53c6f7e65c4f407655a

Download Submit
memory/3624-15-0x000000001D110000-0x000000001D128000-memory.dmp

Filesize
96KB

Download
memory/3624-16-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-4-0x000000001C6E0000-0x000000001C786000-memory.dmp

Filesize
664KB

Download
memory/3624-5-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

Filesize
32KB

Download
memory/3624-6-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-2-0x000000001BFC0000-0x000000001C48E000-memory.dmp

Filesize
4.8MB

Download
memory/3624-1-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-14-0x000000001CE40000-0x000000001CE4C000-memory.dmp

Filesize
48KB

Download
memory/3624-0-0x00007FFBBF875000-0x00007FFBBF876000-memory.dmp

Filesize
4KB

Download
memory/3624-3-0x000000001C490000-0x000000001C52C000-memory.dmp

Filesize
624KB

Download
memory/3624-17-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-18-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-19-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-20-0x00007FFBBF875000-0x00007FFBBF876000-memory.dmp

Filesize
4KB

Download
memory/3624-21-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-22-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-23-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download
memory/3624-24-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads