nanocore | 7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

Analysis

max time kernel
148s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bazaar.2020.02/Trojan.MSIL.Agent.exe
Size

362KB
MD5

74db23e9489da1c4b4098c8b49faf65f
SHA1

e7692bdbeafa8523ed14ef77f88037724ad34338
SHA256

86c8896067480a260f931692b6f2223d603415a0708e8d16cc5ead90f9b22ba3
SHA512

1f6b13769838bbfa7afddaaaa84295c40d81230e9e314bce26bb858be7baa25294fe6483b8f25d1092e3627cdb4c0642d121e94e49d925a78c3ee6ea4e1140f9
SSDEEP

6144:3LV6Bta6dtJmakIM5tpr/jHrGS/UwJCgwXY7RURu0KX:3LV6BtpmkA/jHrGGyI1UU0I

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Service = "C:\\Program Files (x86)\\IMAP Service\\imapsvc.exe"	Trojan.MSIL.Agent.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan.MSIL.Agent.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IMAP Service\imapsvc.exe	Trojan.MSIL.Agent.exe
File opened for modification	C:\Program Files (x86)\IMAP Service\imapsvc.exe	Trojan.MSIL.Agent.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.MSIL.Agent.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
364	schtasks.exe
3208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3460	Trojan.MSIL.Agent.exe
3460	Trojan.MSIL.Agent.exe
3460	Trojan.MSIL.Agent.exe
3460	Trojan.MSIL.Agent.exe
3460	Trojan.MSIL.Agent.exe
3460	Trojan.MSIL.Agent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3460	Trojan.MSIL.Agent.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	Trojan.MSIL.Agent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 364	3460	Trojan.MSIL.Agent.exe	84
PID 3460 wrote to memory of 364	3460	Trojan.MSIL.Agent.exe	84
PID 3460 wrote to memory of 364	3460	Trojan.MSIL.Agent.exe	84
PID 3460 wrote to memory of 3208	3460	Trojan.MSIL.Agent.exe	86
PID 3460 wrote to memory of 3208	3460	Trojan.MSIL.Agent.exe	86
PID 3460 wrote to memory of 3208	3460	Trojan.MSIL.Agent.exe	86

C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Trojan.MSIL.Agent.exe
"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Trojan.MSIL.Agent.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "IMAP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:364
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "IMAP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpACEA.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp

Filesize
1KB

MD5
6d99895bd5066d9af389889bb39d0e07

SHA1
b2a9f4bf5aa2a4c9644cc963997979d6d42b9b8f

SHA256
0cc25103bb7a5cb0b4acd8e1a9d1976705706c46b4b4c13076befaf20c7fa347

SHA512
aa521d9d6ab6d59294eb319c6c369c0a0fd5227f1206b5a309e1cf06f5b4e3502acbdb9320aceb0643e0f04a91cf93291c069fb1e873cfd888f0e11f22e0af4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpACEA.tmp

Filesize
1KB

MD5
066a3d1b1e4f42b003bb05726c94f77b

SHA1
d2d07af3e380a3e5ab6c2776e58b110752683660

SHA256
92f9afc9224f9e1ecb6e6d22179b7aec3de23aabca518e6dc6db818fd2cd5a2c

SHA512
67ccb9a2944c1050366756a9d59c21f1e5832582867e00185775be8ffdd69027ca76b583c8808d51d6bbf5b06bac6a3a43500db6adfb9c13bca34ba07a279ae6

Download Submit
memory/3460-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download
memory/3460-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3460-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3460-10-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3460-11-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download
memory/3460-12-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3460-13-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3460-14-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download