nanocore | 0e7854dca23f692c67d6e36eb16f235c07bc03d9c6877f9333606703f8b47222

General

Target

New Order(August Quote).exe
Size

2.1MB
MD5

7eb71859c6f6e8fa0c7f1d5623d9431a
SHA1

02d4a58e24bb3f7f52cb8b2042f14ac21cca2f91
SHA256

0b440cf4ef6b131ca35986fbaf065f90c03474f6a96c376f4b61ccefa9c5f607
SHA512

b8ccca6f85cc41c8c49ded587ec21b400267ea9ddb9939a9bafdffeb4c79d67f55ec794653b50f68b7909630ec31d4622819ef254d3c50e80b707ca864c888c6
SSDEEP

24576:V2pLQIwaKAVVYgd1KOc712GOSr6vMfizjmXE9Ni2x1h1vJb1c1OmoX2p:VC5wapVVYgd1K4crbbU9Me1h1Bbh

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	New Order(August Quote).exe

Executes dropped EXE 2 IoCs

pid	Process
2560	Drengebarnetsoplysningerneu1.exe
744	Drengebarnetsoplysningerneu1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Chaussuresulovlighedentem8 = "wscript \"C:\\Users\\Admin\\Reflatingritualismsblodsnkning\\Drengebarnetsoplysningerneu1.vbs\""	Drengebarnetsoplysningerneu1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Manager = "C:\\Program Files (x86)\\DPI Manager\\dpimgr.exe"	Drengebarnetsoplysningerneu1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Drengebarnetsoplysningerneu1.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DPI Manager\dpimgr.exe	Drengebarnetsoplysningerneu1.exe
File opened for modification	C:\Program Files (x86)\DPI Manager\dpimgr.exe	Drengebarnetsoplysningerneu1.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	New Order(August Quote).exe
File opened for modification	C:\Windows\win.ini	New Order(August Quote).exe
File opened for modification	C:\Windows\win.ini	Drengebarnetsoplysningerneu1.exe
File opened for modification	C:\Windows\win.ini	Drengebarnetsoplysningerneu1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Order(August Quote).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Order(August Quote).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Drengebarnetsoplysningerneu1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Drengebarnetsoplysningerneu1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3540	schtasks.exe
392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
744	Drengebarnetsoplysningerneu1.exe
744	Drengebarnetsoplysningerneu1.exe
744	Drengebarnetsoplysningerneu1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
744	Drengebarnetsoplysningerneu1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	Drengebarnetsoplysningerneu1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3220	New Order(August Quote).exe
440	New Order(August Quote).exe
2560	Drengebarnetsoplysningerneu1.exe
744	Drengebarnetsoplysningerneu1.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 440	3220	New Order(August Quote).exe	86
PID 3220 wrote to memory of 440	3220	New Order(August Quote).exe	86
PID 3220 wrote to memory of 440	3220	New Order(August Quote).exe	86
PID 440 wrote to memory of 2560	440	New Order(August Quote).exe	87
PID 440 wrote to memory of 2560	440	New Order(August Quote).exe	87
PID 440 wrote to memory of 2560	440	New Order(August Quote).exe	87
PID 2560 wrote to memory of 744	2560	Drengebarnetsoplysningerneu1.exe	92
PID 2560 wrote to memory of 744	2560	Drengebarnetsoplysningerneu1.exe	92
PID 2560 wrote to memory of 744	2560	Drengebarnetsoplysningerneu1.exe	92
PID 744 wrote to memory of 3540	744	Drengebarnetsoplysningerneu1.exe	93
PID 744 wrote to memory of 3540	744	Drengebarnetsoplysningerneu1.exe	93
PID 744 wrote to memory of 3540	744	Drengebarnetsoplysningerneu1.exe	93
PID 744 wrote to memory of 392	744	Drengebarnetsoplysningerneu1.exe	95
PID 744 wrote to memory of 392	744	Drengebarnetsoplysningerneu1.exe	95
PID 744 wrote to memory of 392	744	Drengebarnetsoplysningerneu1.exe	95

C:\Users\Admin\AppData\Local\Temp\New Order(August Quote).exe
"C:\Users\Admin\AppData\Local\Temp\New Order(August Quote).exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\New Order(August Quote).exe
  "C:\Users\Admin\AppData\Local\Temp\New Order(August Quote).exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe
    "C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe
      "C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DPI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp956A.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DPI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp95A9.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp956A.tmp

Filesize
1KB

MD5
3dcbc08bcbfab2205f992095c0590d25

SHA1
75277a43acab5e2136ae18d314a1c81b0138d976

SHA256
2c0afe7be4250f8394eff6d892aa3a6bff96670920d15be09815e813ef155b98

SHA512
909c5badbacc32dda79549611d85141254d939193b20e240d4486bfccd0102f185e14d588a48ee42bbffe1a7227d3ae294f495d707070b645bf358ca7ef483f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95A9.tmp

Filesize
1KB

MD5
f5cfecb8113f1389673dca400a1825b4

SHA1
c274ce94b3ed69b5041782f8985ccdee953adab2

SHA256
fadc2a28023dcd8aca2aae413440fc5835a2a643aca07fcd9db8d9fe0b2d3ab7

SHA512
9288297097903cea4b68ee61c8f62cffd6ddd61396e9c9b68e527b88d1d4801dd8fd7083432f560b42a515e5f622f66baf2851aee6623534b8a07cfd2ee2686f

Download Submit
C:\Users\Admin\Reflatingritualismsblodsnkning\Drengebarnetsoplysningerneu1.exe

Filesize
2.1MB

MD5
7eb71859c6f6e8fa0c7f1d5623d9431a

SHA1
02d4a58e24bb3f7f52cb8b2042f14ac21cca2f91

SHA256
0b440cf4ef6b131ca35986fbaf065f90c03474f6a96c376f4b61ccefa9c5f607

SHA512
b8ccca6f85cc41c8c49ded587ec21b400267ea9ddb9939a9bafdffeb4c79d67f55ec794653b50f68b7909630ec31d4622819ef254d3c50e80b707ca864c888c6

Download Submit
C:\Windows\win.ini

Filesize
139B

MD5
aec72572671a7b2c61ef7512e55ac0d2

SHA1
ef21cd777af6db193ce7c35ea7cbf2ce67d03527

SHA256
79f1b77c67c81f0459698ec1a2adab47b3de790d8ac899e486c6f3b9fb691ba6

SHA512
7685f71d5bd59ca46a6a46c1b17b93257a041afa32402201102b80809ad916718c88080b77ac5dd18ecdcff701a46e9b8e12668470e57033124f6360f4474c6d

Download Submit
memory/744-34-0x0000000000400000-0x0000000000617000-memory.dmp

Filesize
2.1MB

Download
memory/3220-4-0x0000000077461000-0x0000000077581000-memory.dmp

Filesize
1.1MB

Download
memory/3220-5-0x0000000077461000-0x0000000077581000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads