nanocore | 2a7e2209067453a8c3a9c0ca48410bba692f0cda04b8b262f71774c5be6abcea

General

Target

Loader.exe
Size

202KB
MD5

7280028431d7027ec91a5d0e66f10454
SHA1

111c1c8b84a9e594aeddf940887c6ef25ab4ad4d
SHA256

2a7e2209067453a8c3a9c0ca48410bba692f0cda04b8b262f71774c5be6abcea
SHA512

d0910785383246f220bbbe1162c877729deaf4c0cf0fc52ba03cab074f611953876361f680358e3306cd6dd6ddf28ff6e83ec56220e03a6ff2d9cd0601b3e1d4
SSDEEP

6144:gLV6Bta6dtJmakIM5EG1amlMCGx5PkRKMV9BP:gLV6BtpmkvG17lMCGzPK

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe"	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ARP Host\arphost.exe	Loader.exe
File opened for modification	C:\Program Files (x86)\ARP Host\arphost.exe	Loader.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3524	cmd.exe
4704	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
4344	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4704	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5080	Loader.exe
5080	Loader.exe
5080	Loader.exe
5080	Loader.exe
5080	Loader.exe
5080	Loader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5080	Loader.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	Loader.exe
Token: SeDebugPrivilege	5080	Loader.exe
Token: SeDebugPrivilege	5080	Loader.exe
Token: SeDebugPrivilege	4344	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 956	5080	Loader.exe	89
PID 5080 wrote to memory of 956	5080	Loader.exe	89
PID 5080 wrote to memory of 956	5080	Loader.exe	89
PID 5080 wrote to memory of 2304	5080	Loader.exe	91
PID 5080 wrote to memory of 2304	5080	Loader.exe	91
PID 5080 wrote to memory of 2304	5080	Loader.exe	91
PID 5080 wrote to memory of 3524	5080	Loader.exe	93
PID 5080 wrote to memory of 3524	5080	Loader.exe	93
PID 5080 wrote to memory of 3524	5080	Loader.exe	93
PID 3524 wrote to memory of 4344	3524	cmd.exe	95
PID 3524 wrote to memory of 4344	3524	cmd.exe	95
PID 3524 wrote to memory of 4344	3524	cmd.exe	95
PID 3524 wrote to memory of 4704	3524	cmd.exe	96
PID 3524 wrote to memory of 4704	3524	cmd.exe	96
PID 3524 wrote to memory of 4704	3524	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /delete /f /tn "ARP Host"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /delete /f /tn "ARP Host Task"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C taskkill /f /im "Loader.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\Admin\AppData\Local\Temp\Loader.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Loader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 -w 3000 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5080-0-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/5080-1-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/5080-2-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/5080-5-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/5080-9-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/5080-10-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/5080-11-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/5080-12-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/5080-19-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads