nanocore | 5341e6d0abe6278fd72b162c267b82d3af20dbf7c407e24f70b99ea6235fa85d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xmpp.exe
Size

322KB
MD5

08012e03be6f628b09e73c4a65614e88
SHA1

97f1690d23ce1f522469e9769e98ffa222b234b7
SHA256

5341e6d0abe6278fd72b162c267b82d3af20dbf7c407e24f70b99ea6235fa85d
SHA512

dfcdb8a1f7751b53cf7da5ad1d6a30609945425874e553fc2b792388356b2b3c8cbf65afb4143aafa9e590d1dc8c3dc116a03e3f8726d5a6233aa687cf697b3f
SSDEEP

6144:+LV6Bta6dtJmakIM5iY/uQ/MwCUcMw5bUqNxyZ6QAbAj6gB4AVaHW+Gm6J0QPY:+LV6BtpmkqSwAJ8VAMj6U4AV5tJ0Qw

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

xmpp.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" xmpp.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

xmpp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xmpp.exe
Drops file in Program Files directory 2 IoCs

Processes:

xmpp.exe

description ioc process

File created C:\Program Files (x86)\DDP Host\ddphost.exe xmpp.exe
File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe xmpp.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3476 schtasks.exe
1860 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

xmpp.exe

pid process

2444 xmpp.exe
2444 xmpp.exe
2444 xmpp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

xmpp.exe

pid process

2444 xmpp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xmpp.exe

description pid process

Token: SeDebugPrivilege 2444 xmpp.exe
Token: SeDebugPrivilege 2444 xmpp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	xmpp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xmpp.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	xmpp.exe
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	xmpp.exe

pid	process
3476	schtasks.exe
1860	schtasks.exe

pid	process
2444	xmpp.exe
2444	xmpp.exe
2444	xmpp.exe

pid	process
2444	xmpp.exe

description	pid	process
Token: SeDebugPrivilege	2444	xmpp.exe
Token: SeDebugPrivilege	2444	xmpp.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

xmpp.exe

description	pid	process	target process
PID 2444 wrote to memory of 3476	2444	xmpp.exe	schtasks.exe
PID 2444 wrote to memory of 3476	2444	xmpp.exe	schtasks.exe
PID 2444 wrote to memory of 3476	2444	xmpp.exe	schtasks.exe
PID 2444 wrote to memory of 1860	2444	xmpp.exe	schtasks.exe
PID 2444 wrote to memory of 1860	2444	xmpp.exe	schtasks.exe
PID 2444 wrote to memory of 1860	2444	xmpp.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\xmpp.exe
"C:\Users\Admin\AppData\Local\Temp\xmpp.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp466F.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp46BE.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp466F.tmp
Filesize
1KB

MD5
f6f3f22a55c23847f3ec537d9d50d61b

SHA1
21d7ee9cbbdc0103676e386f502f7c91a88ae10a

SHA256
23e92430a460ee36367a7239595be60e4fa0cad39688d1dad10b3e5a2788882f

SHA512
f54d5488114af2a87e7cd722a84301161242dc664093ff996a41d9465d7c0702f0aae6fa124a94d64cfee9cedf563e340559189b26baf53fe05ad0814e6de566

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46BE.tmp
Filesize
1KB

MD5
2271642ca970891700e3f48439739ed8

SHA1
cd472df2349f7db9e1e460d0ee28acd97b8a8793

SHA256
7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68

SHA512
4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

Download Submit
memory/2444-0-0x0000000075342000-0x0000000075343000-memory.dmp

Filesize
4KB

Download
memory/2444-1-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-2-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-10-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-11-0x0000000075342000-0x0000000075343000-memory.dmp

Filesize
4KB

Download
memory/2444-12-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-13-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download