nanocore | 15455df49778d6e1154d788f37171e2e73abc52db4c0b78cde050ad054a23bf7

Analysis

max time kernel
14s
max time network
15s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

37.9MB
MD5

2879823979f8b16f80483eb80f38dcaa
SHA1

83846ac4df07519a2fab9952d43ee9be2fdb5794
SHA256

15455df49778d6e1154d788f37171e2e73abc52db4c0b78cde050ad054a23bf7
SHA512

3470ac73d739c805d52ed452bc463f92977d8b606fd4f83e0aab9546e01d55bac27e9faffb20d3f617b6f48476296588e354453d74a32459225c22d716a205b2
SSDEEP

786432:YRrD3/04fhQJc9LUwSwLzL60o48fyEodlWPy1WGTO7icRS7:YRrT04yJzwR60v8fyEoqPyjt

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 2 IoCs

pid	Process
1752	app.exe
768	App2.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	Launcher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe"	App2.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	App2.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DSL Manager\dslmgr.exe	App2.exe
File opened for modification	C:\Program Files (x86)\DSL Manager\dslmgr.exe	App2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
768	App2.exe
768	App2.exe
768	App2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
768	App2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	App2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1752	2292	Launcher.exe	31
PID 2292 wrote to memory of 1752	2292	Launcher.exe	31
PID 2292 wrote to memory of 1752	2292	Launcher.exe	31
PID 2292 wrote to memory of 768	2292	Launcher.exe	33
PID 2292 wrote to memory of 768	2292	Launcher.exe	33
PID 2292 wrote to memory of 768	2292	Launcher.exe	33
PID 2292 wrote to memory of 768	2292	Launcher.exe	33

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\ProgramData\app.exe
  "C:\ProgramData\app.exe"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\ProgramData\App2.exe
  "C:\ProgramData\App2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\App2.exe

Filesize
202KB

MD5
73f5733f76ac052b15335c1cd985f73f

SHA1
8c4be16301b9da6caa774f800104adf5731b55a4

SHA256
9cf5e2e0f424e7d3b206b17c262a538b29776c34b3fe11fa38222ce8cf7eaff3

SHA512
7acda28d83caf6f27535c0e5e465b6219ba178ad673b0e4af517894c537dd50b7f16d3e83b3ddb7c8c268835eb9fd962902b38e51083a35d0c778aa1600349f5

Download Submit
\ProgramData\app.exe

Filesize
37.7MB

MD5
2b4e3d8483a38b3edb8c5fb6c4ae2377

SHA1
97b61d68ecb640b9c80417b6c5ee3940c1d4807f

SHA256
0bb4106d06534f26e4b1b74627129c7b614339cc9b0eb948200ae739f38321cb

SHA512
737deffa13732a97baa95809b3aa226580c21ad7ceb17ed245244ff7cda0db0e1f0a01a5a9966ea9867b3ef4c6c234b3be76bc90f5bb78c454dc458ced158ba0

Download Submit
memory/2292-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x00000000009C0000-0x0000000002FB6000-memory.dmp

Filesize
38.0MB

Download