Analysis

  • max time kernel
    35s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16/11/2022, 07:04

General

  • Target

    nanocore.exe

  • Size

    203KB

  • MD5

    ed5717c73d6154878680094160a47372

  • SHA1

    c72a730a739a61f1ba59c9cda6360fa73ece3f80

  • SHA256

    16cac6ab6a3818548a35543c5ec18b5802e9e768cdb89c8f0459a2992d30deac

  • SHA512

    90c23a8bbe5974a7c4bb0584e9e09942f35e115ce2ddff4457c0c33128ea189e4082dbf94fea938d3dc93a51bf147fb6aeef05220ec98d62780d65a3abc899cf

  • SSDEEP

    6144:MLV6Bta6dtJmakIM5PBGmPDZ1ZgJB6QUWk:MLV6BtpmkOBGmPDZ1gB65Wk

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nanocore.exe
    "C:\Users\Admin\AppData\Local\Temp\nanocore.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1212
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFFA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1512

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp

          Filesize

          1KB

          MD5

          c1537facbed38a07cf8821a32f017448

          SHA1

          4c5f1d0254eb77121a18368e4d4ee285c79788cd

          SHA256

          9901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a

          SHA512

          fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a

        • C:\Users\Admin\AppData\Local\Temp\tmpFFA.tmp

          Filesize

          1KB

          MD5

          ea7095fa975a5ac043c9de2899ce61d0

          SHA1

          ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3

          SHA256

          5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f

          SHA512

          b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb

        • memory/2020-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

          Filesize

          8KB

        • memory/2020-59-0x0000000074F70000-0x000000007551B000-memory.dmp

          Filesize

          5.7MB

        • memory/2020-60-0x0000000074F70000-0x000000007551B000-memory.dmp

          Filesize

          5.7MB