nanocore | 4a00588e366b27273cc7b3a7dc14addaddc207fdc3b6965e5cb995c1ace2fd04

General

Target

Tempspoffer.exe
Size

40.6MB
MD5

f0082668059d950985a7241f49b2e783
SHA1

a72316855135a7402661576800634a33fba4ffdb
SHA256

4a00588e366b27273cc7b3a7dc14addaddc207fdc3b6965e5cb995c1ace2fd04
SHA512

453a87d68aafc792fc690766cfcedcfdd3f01039f949f365be269d3e3147466c2e59b5c8ffa16a03db19bdd25b13acddca8fc73b0fde5311077ab142be3efdbd
SSDEEP

786432:90Xbab6t3WWEqamWxa4IzSDqG9dabW+mY72F1y4SQNgNh2AtPHAr7UCM283nrG:90Xub64WEa8JIzSmGGbWQ2F1yINgfBhq

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 3 IoCs

pid	Process
1256	spoffer.exe
2820	Temp sppoffer.exe
2672	Google Chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
1248	Tempspoffer.exe
1256	spoffer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Manager = "C:\\Program Files (x86)\\DHCP Manager\\dhcpmgr.exe"	Google Chrome.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Google Chrome.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe	Google Chrome.exe
File opened for modification	C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe	Google Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2128	schtasks.exe
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe
2672	Google Chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	Google Chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	Google Chrome.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1256	1248	Tempspoffer.exe	30
PID 1248 wrote to memory of 1256	1248	Tempspoffer.exe	30
PID 1248 wrote to memory of 1256	1248	Tempspoffer.exe	30
PID 1256 wrote to memory of 2820	1256	spoffer.exe	31
PID 1256 wrote to memory of 2820	1256	spoffer.exe	31
PID 1256 wrote to memory of 2820	1256	spoffer.exe	31
PID 2820 wrote to memory of 2672	2820	Temp sppoffer.exe	33
PID 2820 wrote to memory of 2672	2820	Temp sppoffer.exe	33
PID 2820 wrote to memory of 2672	2820	Temp sppoffer.exe	33
PID 2820 wrote to memory of 2672	2820	Temp sppoffer.exe	33
PID 2672 wrote to memory of 2128	2672	Google Chrome.exe	34
PID 2672 wrote to memory of 2128	2672	Google Chrome.exe	34
PID 2672 wrote to memory of 2128	2672	Google Chrome.exe	34
PID 2672 wrote to memory of 2128	2672	Google Chrome.exe	34
PID 2672 wrote to memory of 1796	2672	Google Chrome.exe	36
PID 2672 wrote to memory of 1796	2672	Google Chrome.exe	36
PID 2672 wrote to memory of 1796	2672	Google Chrome.exe	36
PID 2672 wrote to memory of 1796	2672	Google Chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DHCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD2C9.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DHCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD357.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe

Filesize
33.9MB

MD5
f096b2300f64c3fb11d06562a97bc298

SHA1
768afdd542a4be396b10033ed7e4f02f36b8236a

SHA256
30ba7c29fe54659ef3d4615df1a198096e55c8f7642d70522fb474da9aa4172e

SHA512
7a7aaf43905a9c31e0df95d39e44513dea0c5aafb2f2debba769faf604139a7d81a42a500d7cf1c7a30a18e94950ae963c4ab20e3f78ca4c603b15fc336e508d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe

Filesize
6.5MB

MD5
7bfd75f09aa7e17d66e9cb4a4149748b

SHA1
79c47f031fa264907f06295985d1b5e1b0ce35d5

SHA256
b953c0f984cefd10df18006b4dac295474931059ec39b38cd519c8c8d3dae14b

SHA512
703470beff1df7ebde61c1e5631f1aec7d36813907b2dc504f1e0ba0d7f18592f8fc8d43bd54b8066b6c08f29a5cb9fb6cb5b0e8160a3081332c347aed341119

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe

Filesize
203KB

MD5
39dc955ee6e7b3eefd55691689adb50d

SHA1
fa9fa0a367d4e47906e387da0357865f60541ff0

SHA256
5b4033f97ff12ecc172d1ea985f0a474cfbf124d74cb892377f963c530223c48

SHA512
e976c02b4976aadfc3e633653bc576ac8949f3a47f1dc78ac1cdbca7b80bda1ffc9b82d5eb8f44b587dba0bb2e26e2d3135fadeb70241363fc5ee260d58479fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2C9.tmp

Filesize
1KB

MD5
fc6066e1f63e193b1d0c3d59db5c029c

SHA1
ac288c28a25c191726a89eba9e1f3476c756826a

SHA256
35f383f371aa89cec328c0e4fb0ee13a0ee4e728b545f6c4af631f831509bb46

SHA512
3622b5e1d1acbbd636f5df9038359033b657702fd0079d8721709e8acb24db0c70c28202119d264101ba61724933284c801aab79e3b6bba42321e2ea6b34a03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD357.tmp

Filesize
1KB

MD5
cdf5683344404764a0f3592e9db8a5a1

SHA1
6705943b404de237cdd7080c05af25e2b1b6410c

SHA256
1ea0af7c86be3e61c281ada0470c6dcf178834380def1903b5bb78b49440ffff

SHA512
23c56873ca8520784cc1d6b0b4211b373fff6fb429872932e5274801d3b9d786566877cd16d1ffa0adca8c7aebb0b935701a0c071073edfbdb319002f99a182b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads