nanocore | 8b4cda9baec878f1dd69acf5e3fe33ef80b4ba84856e6416be9a0f40028329a4

General

Target

PW.exe
Size

203KB
MD5

b2f82753cb0f4d065662b530924bb50c
SHA1

631f130194792d63f7fa75451eb3175422d93af8
SHA256

8b4cda9baec878f1dd69acf5e3fe33ef80b4ba84856e6416be9a0f40028329a4
SHA512

1c120dd4ae8aed29692ded0fc7099fff5a26a1a26b7d1ebd00af325e5e9617b933419ecd9407ef5dec35482bc9809df1ace9ed482dc9c260f6a6eb0ff5e46466
SSDEEP

3072:uzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI7h7UcQkPyI7e6cs1WpdGE9pAs:uLV6Bta6dtJmakIM50Q4T7e6L1qpp

Score

10^/10

nanocore defense_evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files\\DDP Manager\\ddpmgr.exe"	PW.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PW.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DDP Manager\ddpmgr.exe	PW.exe
File created	C:\Program Files\DDP Manager\ddpmgr.exe	PW.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4268	schtasks.exe
960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4952	PW.exe
4952	PW.exe
4952	PW.exe
4952	PW.exe
4952	PW.exe
4952	PW.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4952	PW.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	PW.exe
Token: SeDebugPrivilege	4952	PW.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4268	4952	PW.exe	82
PID 4952 wrote to memory of 4268	4952	PW.exe	82
PID 4952 wrote to memory of 960	4952	PW.exe	84
PID 4952 wrote to memory of 960	4952	PW.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PW.exe
"C:\Users\Admin\AppData\Local\Temp\PW.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB333.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4268
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /f /tn "DDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB382.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB333.tmp

Filesize
1KB

MD5
faa6c46bb16e1903ec5525505d34dc46

SHA1
cb63d917c4c485a0fa1aea00d63ae1178f6198aa

SHA256
6d64b298ce4ef6023264ed81a3722f0be12b0f90d2eab3605872d83b80152ad4

SHA512
1ca4367c15452e77fd680f7d065c1658ca4c7745b89ebeb01e7989b99cd2a612a4167f92213529d10829196747c301cf5ce387ae15e99a48fd383d180f426195

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB382.tmp

Filesize
1KB

MD5
b2a51432a6710d8ef19e6efb6e7137d0

SHA1
56116dc0ae3db72911885a7e079eb4459427d7d9

SHA256
5ac60125d8aa79e67d5b3a3bd0cac1d0e8bd404da6d383f343c0ec249970db13

SHA512
2f372ea8d500ece08da39ea3b6a6b741554b21c48f3d42fd43aba7b7f2822750af36adbf7b2e4504b42964d77145a9bfc5f4a0d8921ffbfb60efde79137e8e2b

Download Submit
memory/4952-21-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download
memory/4952-24-0x000000001C6F0000-0x000000001C702000-memory.dmp

Filesize
72KB

Download
memory/4952-4-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download
memory/4952-5-0x0000000001640000-0x0000000001648000-memory.dmp

Filesize
32KB

Download
memory/4952-6-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download
memory/4952-8-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download
memory/4952-2-0x000000001C3D0000-0x000000001C46C000-memory.dmp

Filesize
624KB

Download
memory/4952-1-0x000000001BE60000-0x000000001C32E000-memory.dmp

Filesize
4.8MB

Download
memory/4952-15-0x000000001CEB0000-0x000000001CEBA000-memory.dmp

Filesize
40KB

Download
memory/4952-16-0x000000001CE30000-0x000000001CE4E000-memory.dmp

Filesize
120KB

Download
memory/4952-18-0x000000001C810000-0x000000001C81A000-memory.dmp

Filesize
40KB

Download
memory/4952-17-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download
memory/4952-19-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download
memory/4952-20-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download
memory/4952-3-0x000000001C620000-0x000000001C6C6000-memory.dmp

Filesize
664KB

Download
memory/4952-0-0x00007FFECB3E5000-0x00007FFECB3E6000-memory.dmp

Filesize
4KB

Download
memory/4952-28-0x000000001D480000-0x000000001D48C000-memory.dmp

Filesize
48KB

Download
memory/4952-26-0x000000001C700000-0x000000001C70E000-memory.dmp

Filesize
56KB

Download
memory/4952-25-0x000000001D0C0000-0x000000001D0DA000-memory.dmp

Filesize
104KB

Download
memory/4952-31-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/4952-30-0x000000001D4A0000-0x000000001D4B4000-memory.dmp

Filesize
80KB

Download
memory/4952-29-0x000000001D490000-0x000000001D49E000-memory.dmp

Filesize
56KB

Download
memory/4952-27-0x000000001D470000-0x000000001D482000-memory.dmp

Filesize
72KB

Download
memory/4952-35-0x000000001D240000-0x000000001D254000-memory.dmp

Filesize
80KB

Download
memory/4952-34-0x000000001D4B0000-0x000000001D4DE000-memory.dmp

Filesize
184KB

Download
memory/4952-33-0x000000001D230000-0x000000001D23E000-memory.dmp

Filesize
56KB

Download
memory/4952-32-0x000000001C6D0000-0x000000001C6E4000-memory.dmp

Filesize
80KB

Download
memory/4952-37-0x000000001E180000-0x000000001E1E2000-memory.dmp

Filesize
392KB

Download
memory/4952-38-0x00007FFECB3E5000-0x00007FFECB3E6000-memory.dmp

Filesize
4KB

Download
memory/4952-39-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download
memory/4952-40-0x00007FFECB130000-0x00007FFECBAD1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads