nanocore | aab512030974507c73bfa580ea67ffba4629ea44ab61c60ae0b85560c97e1867

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f51d9b034bc2e1a7ea720ea54f0dcf4c.exe
Size

203KB
MD5

f51d9b034bc2e1a7ea720ea54f0dcf4c
SHA1

78b359745584fda695b36dfe7ea039984bb2fe5c
SHA256

aab512030974507c73bfa580ea67ffba4629ea44ab61c60ae0b85560c97e1867
SHA512

942b6a919e910779e5d94310b3d8484a8db2cf6f41b470a55b45ff68859f050648f82a3719faa383a9129c33a558d6f642b9921ef49de2e3c7d9c6310927ef16
SSDEEP

3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HImAzDtCihaFue8Y1WRFj7KV79:MLV6Bta6dtJmakIM5cNC5x8Y167Y79

Score

10^/10

nanocore defense_evasion discovery keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3156	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe
3156	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe
3156	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 4920	3156	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe	88
PID 3156 wrote to memory of 4920	3156	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe	88
PID 3156 wrote to memory of 4920	3156	f51d9b034bc2e1a7ea720ea54f0dcf4c.exe	88

C:\Users\Admin\AppData\Local\Temp\f51d9b034bc2e1a7ea720ea54f0dcf4c.exe
"C:\Users\Admin\AppData\Local\Temp\f51d9b034bc2e1a7ea720ea54f0dcf4c.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "IMAP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7232.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7232.tmp

Filesize
1KB

MD5
ac08deec33ba8832012b62a6a5bd5622

SHA1
6a43ac93aa2f5c71313f3568572f162b300106cc

SHA256
559ca923799e124fb1aab9850c6289771b7e8b65653184319f1dde5f39cb0b83

SHA512
6ee6c1802f56f32f7aa87f56b79e5447cac2eac88bb07b2e0af045b41c8a8d610eaa3cd53519a3bdef092bbc036d00a46c95e8a312f1e702820532ecf1bc0ac3

Download Submit
memory/3156-0-0x00000000752D2000-0x00000000752D3000-memory.dmp

Filesize
4KB

Download
memory/3156-1-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3156-2-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3156-7-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3156-8-0x00000000752D2000-0x00000000752D3000-memory.dmp

Filesize
4KB

Download
memory/3156-9-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3156-10-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3156-11-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download