nanocore | 7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

Resubmissions

03/02/2025, 21:57

250203-1t5hmsvmat 10

03/02/2025, 04:37

250203-e896saslgn 10

31/01/2025, 18:35

250131-w8gmxatmc1 10

Analysis

max time kernel
147s
max time network
133s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/02/2025, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bazaar.2020.02/Trojan.MSIL.Agent.exe
Size

203KB
MD5

cc214d61ebb2b63d738e64cba831722e
SHA1

0387a2073cab7fbd99cd9c9c951b9afa6ba1097c
SHA256

0737463d0ed8addd2c9adf17c3289e48ea012750b5f826da5b33da8408341e3c
SHA512

cdacc8971faceb69097b9a2053e059d061c65bad0c7e4141e8f0a6cadf740bd5537afc9f17e38be5e1eed60566b9fa6542dd1b3ead834ab16f23111060db684f
SSDEEP

3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIm1b8Wd2H2hdHZVLdkj3:sLV6Bta6dtJmakIM5tfTzHTLaj3

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Monitor = "C:\\Program Files (x86)\\SMTP Monitor\\smtpmon.exe"	Trojan.MSIL.Agent.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan.MSIL.Agent.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SMTP Monitor\smtpmon.exe	Trojan.MSIL.Agent.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.MSIL.Agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1736	schtasks.exe
3952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4344	Trojan.MSIL.Agent.exe
4344	Trojan.MSIL.Agent.exe
4344	Trojan.MSIL.Agent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4344	Trojan.MSIL.Agent.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	Trojan.MSIL.Agent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 1736	4344	Trojan.MSIL.Agent.exe	79
PID 4344 wrote to memory of 1736	4344	Trojan.MSIL.Agent.exe	79
PID 4344 wrote to memory of 1736	4344	Trojan.MSIL.Agent.exe	79
PID 4344 wrote to memory of 3952	4344	Trojan.MSIL.Agent.exe	81
PID 4344 wrote to memory of 3952	4344	Trojan.MSIL.Agent.exe	81
PID 4344 wrote to memory of 3952	4344	Trojan.MSIL.Agent.exe	81

C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Trojan.MSIL.Agent.exe
"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Trojan.MSIL.Agent.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "SMTP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAF7A.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1736
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "SMTP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAFD8.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAF7A.tmp

Filesize
1KB

MD5
6d99895bd5066d9af389889bb39d0e07

SHA1
b2a9f4bf5aa2a4c9644cc963997979d6d42b9b8f

SHA256
0cc25103bb7a5cb0b4acd8e1a9d1976705706c46b4b4c13076befaf20c7fa347

SHA512
aa521d9d6ab6d59294eb319c6c369c0a0fd5227f1206b5a309e1cf06f5b4e3502acbdb9320aceb0643e0f04a91cf93291c069fb1e873cfd888f0e11f22e0af4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFD8.tmp

Filesize
1KB

MD5
ffa9e95100598072ca693c672478895f

SHA1
518514c3112c51b2b21d36d3262bec72e83d025d

SHA256
1e45d509d390405f93e9f3b64ff497e61cf9bf791c015dde4499184b7a681eb3

SHA512
010d14ae46a23cef14cf1de9a06c8e6ff26ca86c10ebdd3d5f16f4ffbeacc3df7ca18fafda097e00bf747fb997c5c4f9d62646e47a3b501da7c630689c28d6df

Download Submit
memory/4344-0-0x00000000747F2000-0x00000000747F3000-memory.dmp

Filesize
4KB

Download
memory/4344-1-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-2-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-9-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-10-0x00000000747F2000-0x00000000747F3000-memory.dmp

Filesize
4KB

Download
memory/4344-11-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-12-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-13-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download