nanocore | 7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

Resubmissions

03/02/2025, 21:57

250203-1t5hmsvmat 10

03/02/2025, 04:37

250203-e896saslgn 10

31/01/2025, 18:35

250131-w8gmxatmc1 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bazaar.2020.02/Trojan.MSIL.Agent.exe
Size

203KB
MD5

cc214d61ebb2b63d738e64cba831722e
SHA1

0387a2073cab7fbd99cd9c9c951b9afa6ba1097c
SHA256

0737463d0ed8addd2c9adf17c3289e48ea012750b5f826da5b33da8408341e3c
SHA512

cdacc8971faceb69097b9a2053e059d061c65bad0c7e4141e8f0a6cadf740bd5537afc9f17e38be5e1eed60566b9fa6542dd1b3ead834ab16f23111060db684f
SSDEEP

3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIm1b8Wd2H2hdHZVLdkj3:sLV6Bta6dtJmakIM5tfTzHTLaj3

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsv.exe"	Trojan.MSIL.Agent.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan.MSIL.Agent.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SMTP Service\smtpsv.exe	Trojan.MSIL.Agent.exe
File opened for modification	C:\Program Files (x86)\SMTP Service\smtpsv.exe	Trojan.MSIL.Agent.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.MSIL.Agent.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1140	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4756	Trojan.MSIL.Agent.exe
4756	Trojan.MSIL.Agent.exe
4756	Trojan.MSIL.Agent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4756	Trojan.MSIL.Agent.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	Trojan.MSIL.Agent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1140	4756	Trojan.MSIL.Agent.exe	84
PID 4756 wrote to memory of 1140	4756	Trojan.MSIL.Agent.exe	84
PID 4756 wrote to memory of 1140	4756	Trojan.MSIL.Agent.exe	84
PID 4756 wrote to memory of 2136	4756	Trojan.MSIL.Agent.exe	86
PID 4756 wrote to memory of 2136	4756	Trojan.MSIL.Agent.exe	86
PID 4756 wrote to memory of 2136	4756	Trojan.MSIL.Agent.exe	86

C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Trojan.MSIL.Agent.exe
"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Trojan.MSIL.Agent.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6254.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1140
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp62B2.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6254.tmp

Filesize
1KB

MD5
6d99895bd5066d9af389889bb39d0e07

SHA1
b2a9f4bf5aa2a4c9644cc963997979d6d42b9b8f

SHA256
0cc25103bb7a5cb0b4acd8e1a9d1976705706c46b4b4c13076befaf20c7fa347

SHA512
aa521d9d6ab6d59294eb319c6c369c0a0fd5227f1206b5a309e1cf06f5b4e3502acbdb9320aceb0643e0f04a91cf93291c069fb1e873cfd888f0e11f22e0af4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp62B2.tmp

Filesize
1KB

MD5
1129270510286b9e8bae6dc678757352

SHA1
f8f3af28a182023adb3efaaa79d034f399ec16d3

SHA256
6fe1bdf3d1dedec102ac61b47fff909c53e0df8903098c52f3843b1e11a2d863

SHA512
cec6863e4d3a431668cb2aa2fd6bbd032a3e1cc61698fcd9fe952fcffc6ebda0a87ead9090767365a473c143c8b32fd269a4af03454d0f34858252c4b767844f

Download Submit
memory/4756-0-0x00000000748F2000-0x00000000748F3000-memory.dmp

Filesize
4KB

Download
memory/4756-1-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-2-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-10-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-11-0x00000000748F2000-0x00000000748F3000-memory.dmp

Filesize
4KB

Download
memory/4756-12-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-13-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-14-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download