nanocore | c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17

General

Target

2D5B4052BA6E888D0A2E8B044BC04651.exe
Size

452KB
MD5

2d5b4052ba6e888d0a2e8b044bc04651
SHA1

7c23a7ea336ceb57d3c9d43b38b5d7e6b2265443
SHA256

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17
SHA512

2fa5f0a2dd0d0f13a258aa97a96195b4f63441a79a3d60edf96684ee3c09525e783ea4c28629982420121a6d23099099c76075559fb3d0a86f8e2aa8d91ab5ed
SSDEEP

12288:8LV6BtpmkAuJO+CCSswmAf9CoPhxLz5zACZZ0d:OApfA7+XVwDY0hxLz5sCn0d

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe"	2D5B4052BA6E888D0A2E8B044BC04651.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2D5B4052BA6E888D0A2E8B044BC04651.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

flow	ioc
28	6.tcp.eu.ngrok.io
44	6.tcp.eu.ngrok.io
14	6.tcp.eu.ngrok.io
40	6.tcp.eu.ngrok.io
20	6.tcp.eu.ngrok.io
26	6.tcp.eu.ngrok.io
36	6.tcp.eu.ngrok.io
16	6.tcp.eu.ngrok.io
22	6.tcp.eu.ngrok.io
38	6.tcp.eu.ngrok.io
42	6.tcp.eu.ngrok.io
8	6.tcp.eu.ngrok.io
10	6.tcp.eu.ngrok.io
24	6.tcp.eu.ngrok.io
32	6.tcp.eu.ngrok.io
46	6.tcp.eu.ngrok.io
48	6.tcp.eu.ngrok.io
4	6.tcp.eu.ngrok.io
6	6.tcp.eu.ngrok.io
34	6.tcp.eu.ngrok.io
50	6.tcp.eu.ngrok.io
52	6.tcp.eu.ngrok.io
2	6.tcp.eu.ngrok.io
12	6.tcp.eu.ngrok.io
18	6.tcp.eu.ngrok.io
30	6.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DSL Service\dslsv.exe	2D5B4052BA6E888D0A2E8B044BC04651.exe
File opened for modification	C:\Program Files (x86)\DSL Service\dslsv.exe	2D5B4052BA6E888D0A2E8B044BC04651.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2D5B4052BA6E888D0A2E8B044BC04651.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe
2332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1036	2D5B4052BA6E888D0A2E8B044BC04651.exe
1036	2D5B4052BA6E888D0A2E8B044BC04651.exe
1036	2D5B4052BA6E888D0A2E8B044BC04651.exe
1036	2D5B4052BA6E888D0A2E8B044BC04651.exe
1036	2D5B4052BA6E888D0A2E8B044BC04651.exe
1036	2D5B4052BA6E888D0A2E8B044BC04651.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1036	2D5B4052BA6E888D0A2E8B044BC04651.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe
Token: SeDebugPrivilege	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2332	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe	31
PID 1036 wrote to memory of 2332	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe	31
PID 1036 wrote to memory of 2332	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe	31
PID 1036 wrote to memory of 2332	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe	31
PID 1036 wrote to memory of 2456	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe	33
PID 1036 wrote to memory of 2456	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe	33
PID 1036 wrote to memory of 2456	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe	33
PID 1036 wrote to memory of 2456	1036	2D5B4052BA6E888D0A2E8B044BC04651.exe	33

C:\Users\Admin\AppData\Local\Temp\2D5B4052BA6E888D0A2E8B044BC04651.exe
"C:\Users\Admin\AppData\Local\Temp\2D5B4052BA6E888D0A2E8B044BC04651.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE215.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2332
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE2A3.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE215.tmp

Filesize
1KB

MD5
1cc1e86dcd6727b8a3c2cbbbd34bd872

SHA1
7cb7ee2ec407983deaa5e0bb980cd7a029b2daec

SHA256
01c879bb1d182930cccbd93eaaf3c67e7d96cac11c877533bf7b86d6eea7225c

SHA512
a6fef86a1e3854dc796ec4ccd4b3b30b7e29bf2f7b054280492db564f262c999f25e604ec9b102228c4b3696f482f1c7dddf34a81413d67f5f7b8bfbb834a767

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2A3.tmp

Filesize
1KB

MD5
afb71a33ece3758f782f052bbe5da94f

SHA1
e69b9070ff52f81fdf01a40f775d021e4b4e71e4

SHA256
abd73bfca8458750ee751d4c6c106d54dcf0969592f476acc64ab0d7f2bb1978

SHA512
22c45992ca358ca9d4605ac426b65903b11b27db1b9c608739245dc412aa256d0908566626b3cfdafb32fca0809bf46c8824ab98cea7b7662216c915e6ef013f

Download Submit
memory/1036-0-0x0000000074D01000-0x0000000074D02000-memory.dmp

Filesize
4KB

Download
memory/1036-1-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1036-2-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1036-10-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads