nanocore | c3b05e542a419256b1eaa62ac2adb55bd77bb7b63e784462b7d994a13add6ee0

General

Target

OT20160097655.scr
Size

733KB
MD5

62310ebea13f180a31b0b59db9612588
SHA1

3990c0b24e6dd4bff2ae7d96cfdaae5ba5e4bd90
SHA256

38b2fc34fccf7c6298f36966578a90a655f8598e69580aab3ec8179c99d0d366
SHA512

d0b545d6d2f1137684e6c48903a522e2893e16d1b3e4af5d2504861c8f6e6b0033219691c7d807e812a662b05988b9fe320f2ce22accd07918b04ac80e6babd1
SSDEEP

12288:iDj2Bi+6FcjG3cvmcwGvWMq81js0EEMQo342NMSBS3mKFETzjxc3MsAdooib54UB:iDj2Qpcjdmc/O5440Y7S3mPf9ccjLibt

Score

10^/10

nanocore discovery evasion keylogger link pdf persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\hygfdfghjkjhgfgh\\6Dlar551dRoM.exe\",explorer.exe"	OT20160097655.scr

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OT20160097655.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 2140	2540	OT20160097655.scr	32

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	OT20160097655.scr

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x0008000000018f8e-30.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OT20160097655.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OT20160097655.scr

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2540	OT20160097655.scr
2540	OT20160097655.scr
2140	OT20160097655.scr
2140	OT20160097655.scr
2140	OT20160097655.scr
2140	OT20160097655.scr
2140	OT20160097655.scr
2140	OT20160097655.scr

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2140	OT20160097655.scr
2340	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	OT20160097655.scr
Token: SeDebugPrivilege	2540	OT20160097655.scr
Token: SeDebugPrivilege	2140	OT20160097655.scr

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2340	AcroRd32.exe
2340	AcroRd32.exe
2340	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2340	2540	OT20160097655.scr	31
PID 2540 wrote to memory of 2340	2540	OT20160097655.scr	31
PID 2540 wrote to memory of 2340	2540	OT20160097655.scr	31
PID 2540 wrote to memory of 2340	2540	OT20160097655.scr	31
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32
PID 2540 wrote to memory of 2140	2540	OT20160097655.scr	32

C:\Users\Admin\AppData\Local\Temp\OT20160097655.scr
"C:\Users\Admin\AppData\Local\Temp\OT20160097655.scr" /S
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ttw044H3cLbqAltU.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\OT20160097655.scr
  "C:\Users\Admin\AppData\Local\Temp\OT20160097655.scr"
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ttw044H3cLbqAltU.pdf

Filesize
259KB

MD5
209930e1bc62f2024b4423ca14c757eb

SHA1
007f533f4791e4068fa4c1121abe3a6a7679cfc8

SHA256
eec6b6cec04b714de9c00b2b9fb6f6ca72b14310dc3b3ffc166d300cfef51004

SHA512
842adb45b21abc663ba60270aa2b97e51fa58ed1cda11709399a837be7c3999d6c7ecfabdcb6fd0c4bf8be39c97e5a393228b8c991ba6d611e199774b90399b4

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cf9e4f4cf046d92dbb0ac05758aff412

SHA1
3bac384f0626f7bfe1ba9f03012c470a6a1c0955

SHA256
b70ea5d815b8e1775c38dc9285d53ead2c906b4e444a16d805080b9096c438a0

SHA512
9d618010b094e10fd5ad99fd869f5ede1a8f1a85d4b099c38af8ee73a183cfb9d5de8aaa8d614fdccc94effa47604242a5e60b6f954c6042c87f4ac48aaf9ccb

Download Submit
memory/2140-28-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-48-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-29-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2140-27-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2540-3-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-0-0x0000000074161000-0x0000000074162000-memory.dmp

Filesize
4KB

Download
memory/2540-8-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-2-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-1-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-47-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-4-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads