nanocore | bda22856aa9e28f921182bd8ab22e2a55e673e0682aa7de2374b38258cdfb449

Resubmissions

17-11-2024 05:21

241117-f13x6s1pcy 10

Analysis

max time kernel
147s
max time network
141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-11-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ads.exe
Size

553KB
MD5

79a480a8b4e688e0e2017a5c83e88612
SHA1

dd07c2258847e73b416cb5f7f8d8530ebbd96364
SHA256

bda22856aa9e28f921182bd8ab22e2a55e673e0682aa7de2374b38258cdfb449
SHA512

bc99a9cbe0cda9fb409ba9cd108a367d8d91ffd91be8f7baa6db0ceb7fb7c370aa7b1153b194f793e880a33e041449d4735581fa14b4dc840ba60ed1a37924f3
SSDEEP

12288:CLV6BtpmkNlQzY2ujFZNo0zbxz3hun/dgoh2MaekI6dVf:gApfNlkMjprNYn/B2ykHl

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Service = "C:\\Program Files (x86)\\IMAP Service\\imapsv.exe"	ads.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ads.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IMAP Service\imapsv.exe	ads.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4412	schtasks.exe
3460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4580	ads.exe
4580	ads.exe
4580	ads.exe
4580	ads.exe
4580	ads.exe
4580	ads.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4580	ads.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	ads.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4412	4580	ads.exe	81
PID 4580 wrote to memory of 4412	4580	ads.exe	81
PID 4580 wrote to memory of 4412	4580	ads.exe	81
PID 4580 wrote to memory of 3460	4580	ads.exe	83
PID 4580 wrote to memory of 3460	4580	ads.exe	83
PID 4580 wrote to memory of 3460	4580	ads.exe	83

C:\Users\Admin\AppData\Local\Temp\ads.exe
"C:\Users\Admin\AppData\Local\Temp\ads.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "IMAP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB9AB.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4412
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "IMAP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB9AB.tmp

Filesize
1KB

MD5
6069e0be1edb0666286f11809cd86a75

SHA1
ac91980689c388c351164a934200e0e06c9aa516

SHA256
99baec311be551425cd8dd74b8acde706257b0f83131b45b18874b7f1f14b3d7

SHA512
b668d4838c526cff08c4e70077916288ae443b4f19efbf0f9e1a0a63e50c3ae45dd2609be9b41ceb3116e8c7fc2bf534b200445b8a5b073ba16b3971528aa431

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp

Filesize
1KB

MD5
266ebd097e1267e63a5abfc1dededae8

SHA1
b619bdaa65cbb17c86da3744e566e6a66c7057b4

SHA256
b3689f65cd1048f673cda43b0f93ffddb45bc67da94a62335b7c75ba0f0b2852

SHA512
4db2526f588777bfaf8b7d7799d19e5e384f0ed1fff1905196277383378a98e73b7952d4bccf22cd92c53b5d7f9c9057f896a773a58b1908fe4a41aadae047bd

Download Submit
memory/4580-0-0x0000000074622000-0x0000000074623000-memory.dmp

Filesize
4KB

Download
memory/4580-1-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4580-2-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4580-9-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4580-10-0x0000000074622000-0x0000000074623000-memory.dmp

Filesize
4KB

Download
memory/4580-11-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4580-12-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4580-13-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download