NanoCore Trojan is protected in memory from being killed off If you are infected with this malware, you might find it is more difficult to eradicate than standard Trojans January 16, 2019 https://www.zdnet.com/article/nanocore-trojan-stops-you-killing-its-process/
This is some sneaky stuff, so even AV's would not be able to kill it? If you ask me, this is a design fault in the Windows OS.
The macro VBA code, hash = FFEE1A33C084360B24C5B987B80887A2D77248224DBD6A0B6574FF9CEF74BDD6, is detected by 35/58 on VT. WD is not one of them. The .exe, hash = 32BB5F767FE7788BCA4DD07F89F145D70EC3F58E2581CAB9CA6182D3FCE9BC86, is detected by 54/70 on VT. So if you're using a major third party AV solution, I wouldn't worry about this one.
If it can't execute, you don't have to worry about killing it. Although the technique used could be deployed in another 0-day malware.
This is a no brainer, but to me it's more about the techniques being used and if HIPS will be able to block them. IMO, it should not have been possible to use this technique without using a driver for example, but apparently Windows does give malware the opportunity. So yes, it's a design fault if you ask me.
It a trojan and fairly easy to remove if you know where to look: It's main danger is if allowed to execute it can't be terminated other than by system shutdown. Also I just ran across a ransomware sample exhibiting the same behavior - it couldn't be terminated. So I would say this malware's main danger is the non-termination technique it introduced.
Recent detailed technical analysis of NanoCore here: https://securityaffairs.co/wordpress/87103/malware/dissecting-nanocore-crimeware.html . Of note is its use of doubled schtasks.exe execution where the child process one is executed on the fly.