nanocore | 2a7e2209067453a8c3a9c0ca48410bba692f0cda04b8b262f71774c5be6abcea

General

Target

Loader.exe
Size

202KB
MD5

7280028431d7027ec91a5d0e66f10454
SHA1

111c1c8b84a9e594aeddf940887c6ef25ab4ad4d
SHA256

2a7e2209067453a8c3a9c0ca48410bba692f0cda04b8b262f71774c5be6abcea
SHA512

d0910785383246f220bbbe1162c877729deaf4c0cf0fc52ba03cab074f611953876361f680358e3306cd6dd6ddf28ff6e83ec56220e03a6ff2d9cd0601b3e1d4
SSDEEP

6144:gLV6Bta6dtJmakIM5EG1amlMCGx5PkRKMV9BP:gLV6BtpmkvG17lMCGzPK

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Deletes itself 1 IoCs

pid	Process
796	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe"	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Service\udpsv.exe	Loader.exe
File opened for modification	C:\Program Files (x86)\UDP Service\udpsv.exe	Loader.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
796	cmd.exe
1416	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
2988	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1416	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2820	Loader.exe
2820	Loader.exe
2820	Loader.exe
2820	Loader.exe
2820	Loader.exe
2820	Loader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2820	Loader.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	Loader.exe
Token: SeDebugPrivilege	2820	Loader.exe
Token: SeDebugPrivilege	2820	Loader.exe
Token: SeDebugPrivilege	2988	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2528	2820	Loader.exe	30
PID 2820 wrote to memory of 2528	2820	Loader.exe	30
PID 2820 wrote to memory of 2528	2820	Loader.exe	30
PID 2820 wrote to memory of 2528	2820	Loader.exe	30
PID 2820 wrote to memory of 2576	2820	Loader.exe	32
PID 2820 wrote to memory of 2576	2820	Loader.exe	32
PID 2820 wrote to memory of 2576	2820	Loader.exe	32
PID 2820 wrote to memory of 2576	2820	Loader.exe	32
PID 2820 wrote to memory of 796	2820	Loader.exe	34
PID 2820 wrote to memory of 796	2820	Loader.exe	34
PID 2820 wrote to memory of 796	2820	Loader.exe	34
PID 2820 wrote to memory of 796	2820	Loader.exe	34
PID 796 wrote to memory of 2988	796	cmd.exe	36
PID 796 wrote to memory of 2988	796	cmd.exe	36
PID 796 wrote to memory of 2988	796	cmd.exe	36
PID 796 wrote to memory of 2988	796	cmd.exe	36
PID 796 wrote to memory of 1416	796	cmd.exe	38
PID 796 wrote to memory of 1416	796	cmd.exe	38
PID 796 wrote to memory of 1416	796	cmd.exe	38
PID 796 wrote to memory of 1416	796	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /delete /f /tn "UDP Service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /delete /f /tn "UDP Service Task"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C taskkill /f /im "Loader.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\Admin\AppData\Local\Temp\Loader.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Loader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 -w 3000 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-0-0x0000000074081000-0x0000000074082000-memory.dmp

Filesize
4KB

Download
memory/2820-1-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-2-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-8-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-15-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads