nanocore | 4a00588e366b27273cc7b3a7dc14addaddc207fdc3b6965e5cb995c1ace2fd04

General

Target

Tempspoffer.exe
Size

40.6MB
MD5

f0082668059d950985a7241f49b2e783
SHA1

a72316855135a7402661576800634a33fba4ffdb
SHA256

4a00588e366b27273cc7b3a7dc14addaddc207fdc3b6965e5cb995c1ace2fd04
SHA512

453a87d68aafc792fc690766cfcedcfdd3f01039f949f365be269d3e3147466c2e59b5c8ffa16a03db19bdd25b13acddca8fc73b0fde5311077ab142be3efdbd
SSDEEP

786432:90Xbab6t3WWEqamWxa4IzSDqG9dabW+mY72F1y4SQNgNh2AtPHAr7UCM283nrG:90Xub64WEa8JIzSmGGbWQ2F1yINgfBhq

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Tempspoffer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	spoffer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Temp sppoffer.exe

Executes dropped EXE 3 IoCs

pid	Process
4756	spoffer.exe
2004	Temp sppoffer.exe
3876	Google Chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe"	Google Chrome.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Google Chrome.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DHCP Host\dhcphost.exe	Google Chrome.exe
File opened for modification	C:\Program Files (x86)\DHCP Host\dhcphost.exe	Google Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2184	schtasks.exe
2072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3876	Google Chrome.exe
3876	Google Chrome.exe
3876	Google Chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3876	Google Chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3876	Google Chrome.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 4756	3956	Tempspoffer.exe	83
PID 3956 wrote to memory of 4756	3956	Tempspoffer.exe	83
PID 4756 wrote to memory of 2004	4756	spoffer.exe	85
PID 4756 wrote to memory of 2004	4756	spoffer.exe	85
PID 2004 wrote to memory of 3876	2004	Temp sppoffer.exe	86
PID 2004 wrote to memory of 3876	2004	Temp sppoffer.exe	86
PID 2004 wrote to memory of 3876	2004	Temp sppoffer.exe	86
PID 3876 wrote to memory of 2184	3876	Google Chrome.exe	87
PID 3876 wrote to memory of 2184	3876	Google Chrome.exe	87
PID 3876 wrote to memory of 2184	3876	Google Chrome.exe	87
PID 3876 wrote to memory of 2072	3876	Google Chrome.exe	89
PID 3876 wrote to memory of 2072	3876	Google Chrome.exe	89
PID 3876 wrote to memory of 2072	3876	Google Chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBBCE.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBC5C.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe

Filesize
33.9MB

MD5
f096b2300f64c3fb11d06562a97bc298

SHA1
768afdd542a4be396b10033ed7e4f02f36b8236a

SHA256
30ba7c29fe54659ef3d4615df1a198096e55c8f7642d70522fb474da9aa4172e

SHA512
7a7aaf43905a9c31e0df95d39e44513dea0c5aafb2f2debba769faf604139a7d81a42a500d7cf1c7a30a18e94950ae963c4ab20e3f78ca4c603b15fc336e508d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe

Filesize
6.5MB

MD5
7bfd75f09aa7e17d66e9cb4a4149748b

SHA1
79c47f031fa264907f06295985d1b5e1b0ce35d5

SHA256
b953c0f984cefd10df18006b4dac295474931059ec39b38cd519c8c8d3dae14b

SHA512
703470beff1df7ebde61c1e5631f1aec7d36813907b2dc504f1e0ba0d7f18592f8fc8d43bd54b8066b6c08f29a5cb9fb6cb5b0e8160a3081332c347aed341119

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe

Filesize
203KB

MD5
39dc955ee6e7b3eefd55691689adb50d

SHA1
fa9fa0a367d4e47906e387da0357865f60541ff0

SHA256
5b4033f97ff12ecc172d1ea985f0a474cfbf124d74cb892377f963c530223c48

SHA512
e976c02b4976aadfc3e633653bc576ac8949f3a47f1dc78ac1cdbca7b80bda1ffc9b82d5eb8f44b587dba0bb2e26e2d3135fadeb70241363fc5ee260d58479fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBCE.tmp

Filesize
1KB

MD5
fc6066e1f63e193b1d0c3d59db5c029c

SHA1
ac288c28a25c191726a89eba9e1f3476c756826a

SHA256
35f383f371aa89cec328c0e4fb0ee13a0ee4e728b545f6c4af631f831509bb46

SHA512
3622b5e1d1acbbd636f5df9038359033b657702fd0079d8721709e8acb24db0c70c28202119d264101ba61724933284c801aab79e3b6bba42321e2ea6b34a03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC5C.tmp

Filesize
1KB

MD5
0479d5f304ef2d7e3c15fb24a99f88c1

SHA1
8edbb1450a656fac5f5e96779ffe440ee8c1aec9

SHA256
112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc

SHA512
537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads