nanocore | 0e7854dca23f692c67d6e36eb16f235c07bc03d9c6877f9333606703f8b47222

General

Target

New Order(August Quote).exe
Size

2.1MB
MD5

7eb71859c6f6e8fa0c7f1d5623d9431a
SHA1

02d4a58e24bb3f7f52cb8b2042f14ac21cca2f91
SHA256

0b440cf4ef6b131ca35986fbaf065f90c03474f6a96c376f4b61ccefa9c5f607
SHA512

b8ccca6f85cc41c8c49ded587ec21b400267ea9ddb9939a9bafdffeb4c79d67f55ec794653b50f68b7909630ec31d4622819ef254d3c50e80b707ca864c888c6
SSDEEP

24576:V2pLQIwaKAVVYgd1KOc712GOSr6vMfizjmXE9Ni2x1h1vJb1c1OmoX2p:VC5wapVVYgd1K4crbbU9Me1h1Bbh

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
2792	Drengebarnetsoplysningerneu1.exe
2640	Drengebarnetsoplysningerneu1.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	New Order(August Quote).exe
2648	New Order(August Quote).exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisv.exe"	Drengebarnetsoplysningerneu1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Chaussuresulovlighedentem8 = "wscript \"C:\\Users\\Admin\\Reflatingritualismsblodsnkning\\Drengebarnetsoplysningerneu1.vbs\""	Drengebarnetsoplysningerneu1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Drengebarnetsoplysningerneu1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2648	2632	New Order(August Quote).exe	30
PID 2792 set thread context of 2640	2792	Drengebarnetsoplysningerneu1.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PCI Service\pcisv.exe	Drengebarnetsoplysningerneu1.exe
File created	C:\Program Files (x86)\PCI Service\pcisv.exe	Drengebarnetsoplysningerneu1.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	New Order(August Quote).exe
File opened for modification	C:\Windows\win.ini	New Order(August Quote).exe
File opened for modification	C:\Windows\win.ini	Drengebarnetsoplysningerneu1.exe
File opened for modification	C:\Windows\win.ini	Drengebarnetsoplysningerneu1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Drengebarnetsoplysningerneu1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Order(August Quote).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Order(August Quote).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Drengebarnetsoplysningerneu1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2640	Drengebarnetsoplysningerneu1.exe
2640	Drengebarnetsoplysningerneu1.exe
2640	Drengebarnetsoplysningerneu1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	Drengebarnetsoplysningerneu1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	Drengebarnetsoplysningerneu1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2632	New Order(August Quote).exe
2648	New Order(August Quote).exe
2792	Drengebarnetsoplysningerneu1.exe
2640	Drengebarnetsoplysningerneu1.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2640	Drengebarnetsoplysningerneu1.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2648	2632	New Order(August Quote).exe	30
PID 2632 wrote to memory of 2648	2632	New Order(August Quote).exe	30
PID 2632 wrote to memory of 2648	2632	New Order(August Quote).exe	30
PID 2632 wrote to memory of 2648	2632	New Order(August Quote).exe	30
PID 2648 wrote to memory of 2792	2648	New Order(August Quote).exe	31
PID 2648 wrote to memory of 2792	2648	New Order(August Quote).exe	31
PID 2648 wrote to memory of 2792	2648	New Order(August Quote).exe	31
PID 2648 wrote to memory of 2792	2648	New Order(August Quote).exe	31
PID 2792 wrote to memory of 2640	2792	Drengebarnetsoplysningerneu1.exe	32
PID 2792 wrote to memory of 2640	2792	Drengebarnetsoplysningerneu1.exe	32
PID 2792 wrote to memory of 2640	2792	Drengebarnetsoplysningerneu1.exe	32
PID 2792 wrote to memory of 2640	2792	Drengebarnetsoplysningerneu1.exe	32
PID 2640 wrote to memory of 2540	2640	Drengebarnetsoplysningerneu1.exe	33
PID 2640 wrote to memory of 2540	2640	Drengebarnetsoplysningerneu1.exe	33
PID 2640 wrote to memory of 2540	2640	Drengebarnetsoplysningerneu1.exe	33
PID 2640 wrote to memory of 2540	2640	Drengebarnetsoplysningerneu1.exe	33
PID 2640 wrote to memory of 2612	2640	Drengebarnetsoplysningerneu1.exe	35
PID 2640 wrote to memory of 2612	2640	Drengebarnetsoplysningerneu1.exe	35
PID 2640 wrote to memory of 2612	2640	Drengebarnetsoplysningerneu1.exe	35
PID 2640 wrote to memory of 2612	2640	Drengebarnetsoplysningerneu1.exe	35

C:\Users\Admin\AppData\Local\Temp\New Order(August Quote).exe
"C:\Users\Admin\AppData\Local\Temp\New Order(August Quote).exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\New Order(August Quote).exe
  "C:\Users\Admin\AppData\Local\Temp\New Order(August Quote).exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe
    "C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe
      "C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3987.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3A05.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3987.tmp

Filesize
1KB

MD5
3dcbc08bcbfab2205f992095c0590d25

SHA1
75277a43acab5e2136ae18d314a1c81b0138d976

SHA256
2c0afe7be4250f8394eff6d892aa3a6bff96670920d15be09815e813ef155b98

SHA512
909c5badbacc32dda79549611d85141254d939193b20e240d4486bfccd0102f185e14d588a48ee42bbffe1a7227d3ae294f495d707070b645bf358ca7ef483f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A05.tmp

Filesize
1KB

MD5
bbb0d424bb7cb3b0e6aeb68cf82b8f5f

SHA1
7e95dcd21a27ee53e5c23ed5a163df56a43d572a

SHA256
08d6bee474edf0151a0d8ff942ba9e6a1efe069585c63477abd1c7bd8046e130

SHA512
0dc790a415f9717f6e7633c1d5f2749a2eca5582c5bbe114119c3ddba6d4e4d0df48029622e2fe07f94d8ae97c334b88691b7721da50ada261449769ae31d466

Download Submit
C:\Windows\win.ini

Filesize
525B

MD5
99be09997d437b1f6cb218528a6a5aa3

SHA1
104b1b2ed6852b7e016d1925668783a1c40534f4

SHA256
73ba78036e8384670f480ab85d8297d1d430a11433b46729e3fa848da0e7932f

SHA512
6bd698571b606600f60a527a13461b1ecc586e20cb5dc1fb161b26f7e27432248353712b45a8caa472055322b84783e4c28f48f758ea16b9e4596ddb379994f2

Download Submit
\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe

Filesize
2.1MB

MD5
7eb71859c6f6e8fa0c7f1d5623d9431a

SHA1
02d4a58e24bb3f7f52cb8b2042f14ac21cca2f91

SHA256
0b440cf4ef6b131ca35986fbaf065f90c03474f6a96c376f4b61ccefa9c5f607

SHA512
b8ccca6f85cc41c8c49ded587ec21b400267ea9ddb9939a9bafdffeb4c79d67f55ec794653b50f68b7909630ec31d4622819ef254d3c50e80b707ca864c888c6

Download Submit
memory/2632-4-0x0000000076FD1000-0x00000000770D2000-memory.dmp

Filesize
1.0MB

Download
memory/2632-5-0x0000000076FD0000-0x0000000077179000-memory.dmp

Filesize
1.7MB

Download
memory/2632-11-0x00000000771C0000-0x0000000077296000-memory.dmp

Filesize
856KB

Download
memory/2640-35-0x0000000000400000-0x0000000000617000-memory.dmp

Filesize
2.1MB

Download
memory/2648-12-0x0000000076FD0000-0x0000000077179000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads