nanocore | 164a123b62d6c5f64e8c2097948606432a1d114e56959e89feacaadde221518d

General

Target

virus.exe
Size

204KB
MD5

b36f9fb5e68ac0434d8337eb0f764026
SHA1

ba12b94f72f54c8701379213309d0d9e6399eadb
SHA256

164a123b62d6c5f64e8c2097948606432a1d114e56959e89feacaadde221518d
SHA512

c139ce95e3001401aca0e0ea82d965a220630595559c764377dfb0a607dbbc3196a79dc751fd62efa1763b1ad66df00267c1731933e6e3ac2be86dea4793b191
SSDEEP

3072:ozEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIf8lmsolAIrRuw+mqv9j1MWLQe:oLV6Bta6dtJmakIM5dlDAAD

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe"	virus.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	virus.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Service\udpsv.exe	virus.exe
File opened for modification	C:\Program Files (x86)\UDP Service\udpsv.exe	virus.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2392	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2496	virus.exe
2496	virus.exe
2496	virus.exe
2496	virus.exe
2496	virus.exe
2496	virus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	virus.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	virus.exe
Token: SeDebugPrivilege	2496	virus.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2392	2496	virus.exe	31
PID 2496 wrote to memory of 2392	2496	virus.exe	31
PID 2496 wrote to memory of 2392	2496	virus.exe	31
PID 2496 wrote to memory of 2392	2496	virus.exe	31
PID 2496 wrote to memory of 2940	2496	virus.exe	33
PID 2496 wrote to memory of 2940	2496	virus.exe	33
PID 2496 wrote to memory of 2940	2496	virus.exe	33
PID 2496 wrote to memory of 2940	2496	virus.exe	33

C:\Users\Admin\AppData\Local\Temp\virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2392
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA056.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp

Filesize
1KB

MD5
11a630776b6038cd50e07f7543a6ab4d

SHA1
ccb63bf3542248714577372d511ad266c0c8fe05

SHA256
fa4553b1d7f0b5233fb7f7038b5b5c4a1e577024167a41eb78ff3e4eadbbfa53

SHA512
6f6567880d6b014b128b0265e11c5097472f8c64e6069f668b2fb375cbc466ab04f550100d8d9c8d1659f5317faa4df1f6a6633c3a16018de9570106111daf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA056.tmp

Filesize
1KB

MD5
0a24db62cb5b84309c4803346caaa25d

SHA1
67660778f61bb44168c33ed3fe56ed86cf9583e8

SHA256
38d38647af394a04ee6add9f05c43244f04e64a6b96257f4b241a5038efa82df

SHA512
d25d9df063f44595d5e0bf890755bd387655131ff369eeedf3d11ffcc6202ca4455bbb33a8a926dd06839cbd1ddec3d06809b3c66a82c6518aa14beaa469a548

Download Submit
memory/2496-0-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-13-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-14-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads