nanocore | 586ed5d88e9c4b4c7d64fdc87c134f464cee29a2c75cd7021195e057dbcfaf1c

Reason

Machine shutdown

General

Target

pest.exe
Size

202KB
MD5

3a25b8b57fee2dbe05b915a4ba5a5f23
SHA1

d563fc3b01275e873b938a5f08e15809a8ea44b7
SHA256

586ed5d88e9c4b4c7d64fdc87c134f464cee29a2c75cd7021195e057dbcfaf1c
SHA512

1c7549ae11347dfe60a5db10a169cb5990ba3f1a34a8cdaadd52525bba1c0fad2a932f02f1962289cf02d087d7bcdea9a2d5ac23cc69172dff4a782c82c553a6
SSDEEP

6144:QLV6Bta6dtJmakIM5JzxAnuBlMvBZORkl:QLV6BtpmkMxAIFkl

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	pest.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe"	pest.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pest.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ARP Host\arphost.exe	pest.exe
File opened for modification	C:\Program Files (x86)\ARP Host\arphost.exe	pest.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe
3996	pest.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3996	pest.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	pest.exe
Token: SeDebugPrivilege	3996	pest.exe
Token: SeShutdownPrivilege	3996	pest.exe
Token: SeDebugPrivilege	3996	pest.exe
Token: SeDebugPrivilege	3996	pest.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4540	LogonUI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4244	3996	pest.exe	91
PID 3996 wrote to memory of 4244	3996	pest.exe	91
PID 3996 wrote to memory of 4244	3996	pest.exe	91

C:\Users\Admin\AppData\Local\Temp\pest.exe
"C:\Users\Admin\AppData\Local\Temp\pest.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clean1.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b6855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clean1.bat

Filesize
579KB

MD5
5512c5dce702c3564581f40032ef877c

SHA1
3c3b98500b82df4ebfb80bfd20c7399ef029f2d5

SHA256
9fa1a9cb82e9731cba045d93ce8720a78eac7e48e0c88c1a76f46e3536a2341e

SHA512
9541dec6b3fe149c24065d481e21f3943d94646b6b7ccff31643a70a1e2c6f89272a5047e63d49dfac9e07aba9dd5b4215544a6a04b1fbfdd197db7017f6cbe8

Download Submit
C:\Users\Admin\AppData\Roaming\DC5CDDF5-9E4B-4C89-BA53-89649A7A5EE7\settings.bin

Filesize
40B

MD5
ae0f5e6ce7122af264ec533c6b15a27b

SHA1
1265a495c42eed76cc043d50c60c23297e76cce1

SHA256
73b0b92179c61c26589b47e9732ce418b07edee3860ee5a2a5fb06f3b8aa9b26

SHA512
dd44c2d24d4e3a0f0b988ad3d04683b5cb128298043134649bbe33b2512ce0c9b1a8e7d893b9f66fbbcdd901e2b0646c4533fb6c0c8c4afcb95a0efb95d446f8

Download Submit
memory/3996-0-0x0000000074C62000-0x0000000074C63000-memory.dmp

Filesize
4KB

Download
memory/3996-1-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-2-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-5-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-9-0x0000000074C62000-0x0000000074C63000-memory.dmp

Filesize
4KB

Download
memory/3996-10-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-11-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-12-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-22-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads