nanocore | 164a123b62d6c5f64e8c2097948606432a1d114e56959e89feacaadde221518d

General

Target

virus.exe
Size

204KB
MD5

b36f9fb5e68ac0434d8337eb0f764026
SHA1

ba12b94f72f54c8701379213309d0d9e6399eadb
SHA256

164a123b62d6c5f64e8c2097948606432a1d114e56959e89feacaadde221518d
SHA512

c139ce95e3001401aca0e0ea82d965a220630595559c764377dfb0a607dbbc3196a79dc751fd62efa1763b1ad66df00267c1731933e6e3ac2be86dea4793b191
SSDEEP

3072:ozEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIf8lmsolAIrRuw+mqv9j1MWLQe:oLV6Bta6dtJmakIM5dlDAAD

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Monitor = "C:\\Program Files (x86)\\NAS Monitor\\nasmon.exe"	virus.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	virus.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NAS Monitor\nasmon.exe	virus.exe
File opened for modification	C:\Program Files (x86)\NAS Monitor\nasmon.exe	virus.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virus.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5044	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2616	virus.exe
2616	virus.exe
2616	virus.exe
2616	virus.exe
2616	virus.exe
2616	virus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	virus.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	virus.exe
Token: SeDebugPrivilege	2616	virus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 5044	2616	virus.exe	87
PID 2616 wrote to memory of 5044	2616	virus.exe	87
PID 2616 wrote to memory of 5044	2616	virus.exe	87
PID 2616 wrote to memory of 2828	2616	virus.exe	89
PID 2616 wrote to memory of 2828	2616	virus.exe	89
PID 2616 wrote to memory of 2828	2616	virus.exe	89

C:\Users\Admin\AppData\Local\Temp\virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "NAS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8405.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5044
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "NAS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8454.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8405.tmp

Filesize
1KB

MD5
11a630776b6038cd50e07f7543a6ab4d

SHA1
ccb63bf3542248714577372d511ad266c0c8fe05

SHA256
fa4553b1d7f0b5233fb7f7038b5b5c4a1e577024167a41eb78ff3e4eadbbfa53

SHA512
6f6567880d6b014b128b0265e11c5097472f8c64e6069f668b2fb375cbc466ab04f550100d8d9c8d1659f5317faa4df1f6a6633c3a16018de9570106111daf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8454.tmp

Filesize
1KB

MD5
3144131f2fe1c35ad2aafff167a26f59

SHA1
959879de38aed11bc08b7725500d2c8c953e80bf

SHA256
d20aeda9cadd332268afc89cbee76f297b00f061bf69a2f558a8d7657e4c41d7

SHA512
27a07c8f953cc4fde9ec348d3f5c4621ab56ff281b778bc7ac95dd808d5f0eea6969c5e4662efc00a6416c8bcf4d8e3892be5c99e603e36f8aa49d2a957206fb

Download Submit
memory/2616-0-0x00000000746C2000-0x00000000746C3000-memory.dmp

Filesize
4KB

Download
memory/2616-1-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2616-2-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2616-10-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2616-14-0x00000000746C2000-0x00000000746C3000-memory.dmp

Filesize
4KB

Download
memory/2616-15-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2616-16-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2616-17-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads