Analysis
-
max time kernel
35s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16/11/2022, 07:04
Behavioral task
behavioral1
Sample
nanocore.exe
Resource
win7-20221111-en
General
-
Target
nanocore.exe
-
Size
203KB
-
MD5
ed5717c73d6154878680094160a47372
-
SHA1
c72a730a739a61f1ba59c9cda6360fa73ece3f80
-
SHA256
16cac6ab6a3818548a35543c5ec18b5802e9e768cdb89c8f0459a2992d30deac
-
SHA512
90c23a8bbe5974a7c4bb0584e9e09942f35e115ce2ddff4457c0c33128ea189e4082dbf94fea938d3dc93a51bf147fb6aeef05220ec98d62780d65a3abc899cf
-
SSDEEP
6144:MLV6Bta6dtJmakIM5PBGmPDZ1ZgJB6QUWk:MLV6BtpmkOBGmPDZ1gB65Wk
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" nanocore.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nanocore.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\ISS Manager\issmgr.exe nanocore.exe File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe nanocore.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1212 schtasks.exe 1512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2020 nanocore.exe 2020 nanocore.exe 2020 nanocore.exe 2020 nanocore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2020 nanocore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2020 nanocore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1212 2020 nanocore.exe 28 PID 2020 wrote to memory of 1212 2020 nanocore.exe 28 PID 2020 wrote to memory of 1212 2020 nanocore.exe 28 PID 2020 wrote to memory of 1212 2020 nanocore.exe 28 PID 2020 wrote to memory of 1512 2020 nanocore.exe 30 PID 2020 wrote to memory of 1512 2020 nanocore.exe 30 PID 2020 wrote to memory of 1512 2020 nanocore.exe 30 PID 2020 wrote to memory of 1512 2020 nanocore.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\nanocore.exe"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp"2⤵
- Creates scheduled task(s)
PID:1212
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFFA.tmp"2⤵
- Creates scheduled task(s)
PID:1512
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c1537facbed38a07cf8821a32f017448
SHA14c5f1d0254eb77121a18368e4d4ee285c79788cd
SHA2569901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a
SHA512fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a
-
Filesize
1KB
MD5ea7095fa975a5ac043c9de2899ce61d0
SHA1ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3
SHA2565a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f
SHA512b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb