Overview

overview

10

Static

static

10

1.exe

windows7-x64

10

1.exe

windows10-2004-x64

10

ClientPlugin.dll

windows7-x64

1

ClientPlugin.dll

windows10-2004-x64

1

NanoCore.exe

windows7-x64

3

NanoCore.exe

windows10-2004-x64

3

Payload.exe

windows7-x64

7

Payload.exe

windows10-2004-x64

7

PluginCompiler.exe

windows7-x64

3

PluginCompiler.exe

windows10-2004-x64

3

ServerPlugin.dll

windows7-x64

1

ServerPlugin.dll

windows10-2004-x64

1

System.Dat...te.dll

windows7-x64

1

System.Dat...te.dll

windows10-2004-x64

1

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

x64/SQLite...op.dll

windows7-x64

1

x64/SQLite...op.dll

windows10-2004-x64

1

x86/SQLite...op.dll

windows7-x64

3

x86/SQLite...op.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 20:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    202KB

  • MD5

    7262cd751358cfecb8d31ff81575ac29

  • SHA1

    fcab5f0e392ae5477635a7ced23bd1d377e69e16

  • SHA256

    4667ca924aa5cbfd0a793da30825f5cb7ea98b2ddf83377c7b6ed91d73c3420c

  • SHA512

    eaaead267bbcf1bda32d7f978493a02f6f87ae5c2af7d5d3ff67ee0d097d540e3ae3c222282b7c97edbbda9a31b608e69db2374aab2346b7f25108912173c7ef

  • SSDEEP

    3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HItMzhzRWEV9UWlv38SAB:wLV6Bta6dtJmakIM5NFAyUWlv3PAB

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2540-0-0x0000000075522000-0x0000000075523000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-5-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-7-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-6-0x0000000075522000-0x0000000075523000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-8-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-9-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download