nanocore | 282d01ed154e1b6647222c2b6dba6aef8d7f436bbb0115a1f2e8dbf80786cd73

General

Target

2b3a3d0083c66cbf6204b3d18ba032f0N.exe
Size

203KB
MD5

2b3a3d0083c66cbf6204b3d18ba032f0
SHA1

08c3e4d623be2eadae6043a24ba0723c704e559a
SHA256

282d01ed154e1b6647222c2b6dba6aef8d7f436bbb0115a1f2e8dbf80786cd73
SHA512

2e6ae6cf61bb9f0df17add51570fea8d613424927cc02d097220602355e9122ea1b7ce44ccb6e8780458a53840deed254878731aa121112b8659ca7a7fb4cd3b
SSDEEP

3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HICeb8Wd2H2hdHZVLdkjCf:sLV6Bta6dtJmakIM56fTzHTLajA

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Monitor = "C:\\Program Files (x86)\\DNS Monitor\\dnsmon.exe"	2b3a3d0083c66cbf6204b3d18ba032f0N.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2b3a3d0083c66cbf6204b3d18ba032f0N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DNS Monitor\dnsmon.exe	2b3a3d0083c66cbf6204b3d18ba032f0N.exe
File opened for modification	C:\Program Files (x86)\DNS Monitor\dnsmon.exe	2b3a3d0083c66cbf6204b3d18ba032f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3a3d0083c66cbf6204b3d18ba032f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4412	schtasks.exe
5076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe
5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe
5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe
Token: SeDebugPrivilege	5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4412	5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe	86
PID 5096 wrote to memory of 4412	5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe	86
PID 5096 wrote to memory of 4412	5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe	86
PID 5096 wrote to memory of 5076	5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe	89
PID 5096 wrote to memory of 5076	5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe	89
PID 5096 wrote to memory of 5076	5096	2b3a3d0083c66cbf6204b3d18ba032f0N.exe	89

C:\Users\Admin\AppData\Local\Temp\2b3a3d0083c66cbf6204b3d18ba032f0N.exe
"C:\Users\Admin\AppData\Local\Temp\2b3a3d0083c66cbf6204b3d18ba032f0N.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DNS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4412
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DNS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5583.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp

Filesize
1KB

MD5
95305ece302f3534eaaea1deb9fdca44

SHA1
450a6c4118de4fec2fa3a03bb34ae659c99ce475

SHA256
2fd30533e168ffce49382b179a3ff13b218f07809967ef43720f329bed6b4c79

SHA512
b29de05a74c5b4b0a3b63dcba39472164ca438e549f7f3ed4fe13bdbdcdb6312cf5709ef830a48c80d7d5e57661714394c37ccb195c664f1fe33df1c6440fc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5583.tmp

Filesize
1KB

MD5
7620b805f7bc12c79e126656c858d0e0

SHA1
89f09b8b4ef1fc421ddf5ed0cbbe012fab7fd666

SHA256
4d6ea014d135bdc4a5fd4281ce705672561b0279deab4302e06cbfe95e1080a6

SHA512
b02ac735c98b20020251a23ffa1b0308ad3a1c99593a15a8020d742472b0d5c36caa31c6ca2372e88cfd3b6792206ea7920162c2a33c83da24f0098c0513f562

Download Submit
memory/5096-0-0x0000000075132000-0x0000000075133000-memory.dmp

Filesize
4KB

Download
memory/5096-1-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/5096-2-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/5096-10-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/5096-11-0x0000000075132000-0x0000000075133000-memory.dmp

Filesize
4KB

Download
memory/5096-12-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/5096-13-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/5096-14-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads