nanocore | b311a4b65d33d41491e14d50598168da43f75894d30776205213a05248646e86

Resubmissions

17-06-2024 10:03

240617-l3qzaawbpb 10

Analysis

max time kernel
66s
max time network
77s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-06-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

database.exe
Size

202KB
MD5

344e63414eabf4e9a367a35575f3f912
SHA1

873c62937ddf8e8e4f1f8de50fd9e5e85891f26f
SHA256

b311a4b65d33d41491e14d50598168da43f75894d30776205213a05248646e86
SHA512

c1373ecfef42a24b545d863c81af8837ac01b89870106e9312ca84adbbd78d01fbd5ed5c4a514520b88db38c217617e4e4ed70495b83b68c4e2b82d37408f0d6
SSDEEP

6144:wLV6Bta6dtJmakIM5YSxxV2Pvj3Y+w5Ay:wLV6Btpmka2PvTc

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

database.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe" database.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

database.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA database.exe
Drops file in Program Files directory 2 IoCs

Processes:

database.exe

description ioc process

File created C:\Program Files (x86)\DPI Service\dpisvc.exe database.exe
File opened for modification C:\Program Files (x86)\DPI Service\dpisvc.exe database.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe"	database.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	database.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Service\dpisvc.exe	database.exe
File opened for modification	C:\Program Files (x86)\DPI Service\dpisvc.exe	database.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

database.exe

pid	process
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe
600	database.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

database.exe

pid process

600 database.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

database.exefirefox.exe

description pid process

Token: SeDebugPrivilege 600 database.exe
Token: SeDebugPrivilege 4128 firefox.exe
Token: SeDebugPrivilege 4128 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4128 firefox.exe
4128 firefox.exe
4128 firefox.exe
4128 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4128 firefox.exe
4128 firefox.exe
4128 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4128 firefox.exe

description	pid	process
Token: SeDebugPrivilege	600	database.exe
Token: SeDebugPrivilege	4128	firefox.exe
Token: SeDebugPrivilege	4128	firefox.exe

pid	process
4128	firefox.exe
4128	firefox.exe
4128	firefox.exe
4128	firefox.exe

pid	process
4128	firefox.exe
4128	firefox.exe
4128	firefox.exe

pid	process
4128	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 740 wrote to memory of 4128	740	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4120	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4120	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4960	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4664	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4664	4128	firefox.exe	firefox.exe
PID 4128 wrote to memory of 4664	4128	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\database.exe
"C:\Users\Admin\AppData\Local\Temp\database.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.0.178302193\1007203189" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {363c19ee-a417-4c83-b189-27e4f486cf6d} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 1780 21e290d6158 gpu
3⤵
PID:4120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.1.61261066\327258852" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9028b76-cbfe-49bb-bf1d-20fe77b022c3} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 2136 21e28c30858 socket
3⤵
- Checks processor information in registry
PID:4960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.2.1137473995\1508361906" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd16d7cc-cde4-451c-bb5f-32ccb5bb3b7b} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3032 21e2d393158 tab
3⤵
PID:4664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.3.1101551892\1826522309" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b7530f0-619e-4f34-8523-0485c753a2ea} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3564 21e16d62258 tab
3⤵
PID:4868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.4.1395604087\1774170961" -childID 3 -isForBrowser -prefsHandle 4416 -prefMapHandle 4392 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e663b2-bc31-4f50-9943-f3638876dccd} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4428 21e2f2a7858 tab
3⤵
PID:4300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.5.323068282\1396862862" -childID 4 -isForBrowser -prefsHandle 2524 -prefMapHandle 4824 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99079003-75dc-4463-94dc-af0fe409c5fd} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3700 21e2d9ded58 tab
3⤵
PID:1448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.6.665477055\731759365" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5907bdc-f58f-4fd8-a8ca-557bfd9e8a50} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4956 21e2e1f1058 tab
3⤵
PID:3576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.7.1184883601\672168546" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab5e4df1-d51f-462a-bb72-af22a588f85f} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 5140 21e2f9dad58 tab
3⤵
PID:2752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.8.1875503242\1724517108" -childID 7 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c430896-2541-40a6-b394-5817bc619d10} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 5728 21e31221058 tab
3⤵
PID:4048

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
55f5c762557f059faa1ae44c5e7dc087

SHA1
0df9e5e9be77641102f22806f6a56b626c9e29b3

SHA256
95014fcc924bf4e391cd9da567d13bc164cbc2b806a69034d4d6793326ab701b

SHA512
f21483f1d0397e73eaf88a847d5f6ea3a7ec5e85f1a0474d62b32719866c020794ea000aaba40968efa0319f324df688b9b3caa6f8fe309159311610cdb49910

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\329cb8c8-d477-4ce5-8dee-c368a91cacf0
Filesize
746B

MD5
de1bd75bb410cfcbdce73f9e47449ed5

SHA1
e88e2b59e2503698c0b1221541adb7b6c4cafe8b

SHA256
0d352a99358648889eec1b77ccc2adf7ffaf54829d748dc954cf8397b1472d75

SHA512
a2eef1f9b11aa1f6bf3323596e81fe00c0179b448f20e07e00e7c1d9353d9914db24be78b614aaf3744372414d166dec68969b99eacaf65d2b3499678fe2705f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\b10ad12c-d6b8-4d73-98c4-96520166028a
Filesize
10KB

MD5
a73245a25674c6034d4debd87714ea4b

SHA1
e5f3b31b6efe9a28618faa5119c820001268e0c0

SHA256
b21e5b2a7c46283b951662336ec1d345c74371675db6c1a8912004eee67dece5

SHA512
47bfa708ec5a9f6a972143775b93d0a8d5744a4d74be91e640f2b2ad95096a0c2dba83f8a25c43fd0d07aa937fa286c4e84edc8df7efccc809252125e0d21865

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
Filesize
6KB

MD5
7879563b3ae36fa1fac713f96a0ae10f

SHA1
50a9b290d8da684b510c9de9ad88511949d8c094

SHA256
0cab8d4853993e4a1432fd7831fc2ff59f6ff5de8ffa8a5119026572797dd904

SHA512
c88c56427c34d890c74b3c87b3732d359a23ab9c6b19b41230cd023609e499a009846ab28c9cba33df7f5b44025597251cafc8fb6cadddd58e114732fe7a36d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
90400ab0401f05fad835a0af8b96c60c

SHA1
227a27b58111ed797236dcbfdff1b86e8f5cdb76

SHA256
4b244a654b723f8a0869cf31987276bec1efc40cb26a176b35a46de53fb1b891

SHA512
686a831677991803bce1df544392f91c0ed157d492fdca326d46e0f35b760f614c7cfbd518098d0db18eb26cc5b38e44d5ce564b1dd7826f7060408fcb261e5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
Filesize
4KB

MD5
b472d2d300ba493b96db5eb26f1d9a15

SHA1
6f1b18a0b30f84ef37ce2cc9a48645bfd7e2fc47

SHA256
0ed49bde0ca3f9d4be5e885a2ae916e5e0368549daef9380490860eb1549cb9a

SHA512
fcadac291b2dcaa97711975fc960a08e79c30a44c917638d72e348e4c566e52e5cdf13b327fdf4fd818ef624a679037b608dd30996e5a599e4fb463cb6ea6392

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
731c0e733fe1e3123d366af7c8e578ae

SHA1
9756304ea773dd9cd96e5996dc79de2ed6a9ae9c

SHA256
8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359

SHA512
d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

Download Submit
memory/600-0-0x0000000073A21000-0x0000000073A22000-memory.dmp

Filesize
4KB

Download
memory/600-1-0x0000000073A20000-0x0000000073FD0000-memory.dmp

Filesize
5.7MB

Download
memory/600-2-0x0000000073A20000-0x0000000073FD0000-memory.dmp

Filesize
5.7MB

Download
memory/600-5-0x0000000073A20000-0x0000000073FD0000-memory.dmp

Filesize
5.7MB

Download
memory/600-6-0x0000000073A20000-0x0000000073FD0000-memory.dmp

Filesize
5.7MB

Download