nanocore | 593ca3c64c7bb92f0636ed1b69cd9223a0fdd4ef348035862b0abeb4c2364a26

General

Target

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
Size

452KB
MD5

2d5b4052ba6e888d0a2e8b044bc04651
SHA1

7c23a7ea336ceb57d3c9d43b38b5d7e6b2265443
SHA256

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17
SHA512

2fa5f0a2dd0d0f13a258aa97a96195b4f63441a79a3d60edf96684ee3c09525e783ea4c28629982420121a6d23099099c76075559fb3d0a86f8e2aa8d91ab5ed
SSDEEP

12288:8LV6BtpmkAuJO+CCSswmAf9CoPhxLz5zACZZ0d:OApfA7+XVwDY0hxLz5sCn0d

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe"	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs

Web Service

T1102

Processes:

flow	ioc
44	6.tcp.eu.ngrok.io
46	6.tcp.eu.ngrok.io
89	6.tcp.eu.ngrok.io
102	6.tcp.eu.ngrok.io
104	6.tcp.eu.ngrok.io
24	6.tcp.eu.ngrok.io
26	6.tcp.eu.ngrok.io
91	6.tcp.eu.ngrok.io
97	6.tcp.eu.ngrok.io
116	6.tcp.eu.ngrok.io
21	6.tcp.eu.ngrok.io
57	6.tcp.eu.ngrok.io
63	6.tcp.eu.ngrok.io
71	6.tcp.eu.ngrok.io
110	6.tcp.eu.ngrok.io
28	6.tcp.eu.ngrok.io
37	6.tcp.eu.ngrok.io
100	6.tcp.eu.ngrok.io
108	6.tcp.eu.ngrok.io
61	6.tcp.eu.ngrok.io
93	6.tcp.eu.ngrok.io
75	6.tcp.eu.ngrok.io
79	6.tcp.eu.ngrok.io
81	6.tcp.eu.ngrok.io
59	6.tcp.eu.ngrok.io
73	6.tcp.eu.ngrok.io
69	6.tcp.eu.ngrok.io
95	6.tcp.eu.ngrok.io
31	6.tcp.eu.ngrok.io
33	6.tcp.eu.ngrok.io
112	6.tcp.eu.ngrok.io
87	6.tcp.eu.ngrok.io
106	6.tcp.eu.ngrok.io
77	6.tcp.eu.ngrok.io
1	6.tcp.eu.ngrok.io
53	6.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

Processes:

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Host\lanhost.exe	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
File opened for modification	C:\Program Files (x86)\LAN Host\lanhost.exe	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3340 schtasks.exe
1840 schtasks.exe

pid	process
3340	schtasks.exe
1840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

pid	process
4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

pid process

4108 c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

description	pid	process
Token: SeDebugPrivilege	4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
Token: SeDebugPrivilege	4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

description	pid	process	target process
PID 4108 wrote to memory of 3340	4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe	schtasks.exe
PID 4108 wrote to memory of 3340	4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe	schtasks.exe
PID 4108 wrote to memory of 3340	4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe	schtasks.exe
PID 4108 wrote to memory of 1840	4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe	schtasks.exe
PID 4108 wrote to memory of 1840	4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe	schtasks.exe
PID 4108 wrote to memory of 1840	4108	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
"C:\Users\Admin\AppData\Local\Temp\c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA019.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp
Filesize
1KB

MD5
14608f606fdbc8c928fc56a257d4c283

SHA1
cc88cc40f7b676fc03f413877066dd2dc51569d7

SHA256
c4de491d38884874a17664a071aa3cfb39c2d7de9e24b684813a52577c47615f

SHA512
4b3b1496a8f800a4a609d24a7a91589e0377c217b76647f6e38a2367bc51e12106471ae0e06fe09ca00c5c3bb09a5bf42dd370445dd01c17664223f513d395b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA019.tmp
Filesize
1KB

MD5
54865f98871478b2b88b7f8aa6100915

SHA1
6f8667f1ce25cebee2a7b460668736ff6bcfac54

SHA256
287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e

SHA512
caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493

Download Submit
memory/4108-0-0x00000000749B2000-0x00000000749B3000-memory.dmp

Filesize
4KB

Download
memory/4108-1-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4108-2-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4108-10-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4108-11-0x00000000749B2000-0x00000000749B3000-memory.dmp

Filesize
4KB

Download
memory/4108-12-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4108-13-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4108-14-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads