nanocore | 5341e6d0abe6278fd72b162c267b82d3af20dbf7c407e24f70b99ea6235fa85d

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xmpp.exe
Size

322KB
MD5

08012e03be6f628b09e73c4a65614e88
SHA1

97f1690d23ce1f522469e9769e98ffa222b234b7
SHA256

5341e6d0abe6278fd72b162c267b82d3af20dbf7c407e24f70b99ea6235fa85d
SHA512

dfcdb8a1f7751b53cf7da5ad1d6a30609945425874e553fc2b792388356b2b3c8cbf65afb4143aafa9e590d1dc8c3dc116a03e3f8726d5a6233aa687cf697b3f
SSDEEP

6144:+LV6Bta6dtJmakIM5iY/uQ/MwCUcMw5bUqNxyZ6QAbAj6gB4AVaHW+Gm6J0QPY:+LV6BtpmkqSwAJ8VAMj6U4AV5tJ0Qw

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

xmpp.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsvc.exe" xmpp.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

xmpp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xmpp.exe
Drops file in Program Files directory 2 IoCs

Processes:

xmpp.exe

description ioc process

File created C:\Program Files (x86)\DDP Service\ddpsvc.exe xmpp.exe
File opened for modification C:\Program Files (x86)\DDP Service\ddpsvc.exe xmpp.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2968 schtasks.exe
2320 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xmpp.exe

pid process

1844 xmpp.exe
1844 xmpp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

xmpp.exe

pid process

1844 xmpp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xmpp.exe

description pid process

Token: SeDebugPrivilege 1844 xmpp.exe
Token: SeDebugPrivilege 1844 xmpp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsvc.exe"	xmpp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xmpp.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Service\ddpsvc.exe	xmpp.exe
File opened for modification	C:\Program Files (x86)\DDP Service\ddpsvc.exe	xmpp.exe

pid	process
2968	schtasks.exe
2320	schtasks.exe

pid	process
1844	xmpp.exe
1844	xmpp.exe

pid	process
1844	xmpp.exe

description	pid	process
Token: SeDebugPrivilege	1844	xmpp.exe
Token: SeDebugPrivilege	1844	xmpp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

xmpp.exe

description	pid	process	target process
PID 1844 wrote to memory of 2968	1844	xmpp.exe	schtasks.exe
PID 1844 wrote to memory of 2968	1844	xmpp.exe	schtasks.exe
PID 1844 wrote to memory of 2968	1844	xmpp.exe	schtasks.exe
PID 1844 wrote to memory of 2968	1844	xmpp.exe	schtasks.exe
PID 1844 wrote to memory of 2320	1844	xmpp.exe	schtasks.exe
PID 1844 wrote to memory of 2320	1844	xmpp.exe	schtasks.exe
PID 1844 wrote to memory of 2320	1844	xmpp.exe	schtasks.exe
PID 1844 wrote to memory of 2320	1844	xmpp.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\xmpp.exe
"C:\Users\Admin\AppData\Local\Temp\xmpp.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1999.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1A17.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1999.tmp
Filesize
1KB

MD5
f6f3f22a55c23847f3ec537d9d50d61b

SHA1
21d7ee9cbbdc0103676e386f502f7c91a88ae10a

SHA256
23e92430a460ee36367a7239595be60e4fa0cad39688d1dad10b3e5a2788882f

SHA512
f54d5488114af2a87e7cd722a84301161242dc664093ff996a41d9465d7c0702f0aae6fa124a94d64cfee9cedf563e340559189b26baf53fe05ad0814e6de566

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A17.tmp
Filesize
1KB

MD5
2a91b19749346c8f783945a00a5050d7

SHA1
66c61f7802ac5b83aae26f6042575717209bae3e

SHA256
0b0a294877234b2406c573060ff13262da0414485c0954ef8961a9429d9f7fb1

SHA512
c5b044a2bda0ad0d38fb57ffb54611381f05ef6ef2f14481d00c278ecefda2d963ef41b2ef6e2bb16718fb8e5aa859bf2b9f870bf3ba8959c5a6b5b03aa53622

Download Submit
memory/1844-0-0x00000000740E1000-0x00000000740E2000-memory.dmp

Filesize
4KB

Download
memory/1844-1-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1844-2-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1844-10-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download