Analysis
-
max time kernel
108s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2022, 07:04
Behavioral task
behavioral1
Sample
nanocore.exe
Resource
win7-20221111-en
General
-
Target
nanocore.exe
-
Size
203KB
-
MD5
ed5717c73d6154878680094160a47372
-
SHA1
c72a730a739a61f1ba59c9cda6360fa73ece3f80
-
SHA256
16cac6ab6a3818548a35543c5ec18b5802e9e768cdb89c8f0459a2992d30deac
-
SHA512
90c23a8bbe5974a7c4bb0584e9e09942f35e115ce2ddff4457c0c33128ea189e4082dbf94fea938d3dc93a51bf147fb6aeef05220ec98d62780d65a3abc899cf
-
SSDEEP
6144:MLV6Bta6dtJmakIM5PBGmPDZ1ZgJB6QUWk:MLV6BtpmkOBGmPDZ1gB65Wk
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe" nanocore.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nanocore.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\PCI Manager\pcimgr.exe nanocore.exe File opened for modification C:\Program Files (x86)\PCI Manager\pcimgr.exe nanocore.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4620 schtasks.exe 2904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4256 nanocore.exe 4256 nanocore.exe 4256 nanocore.exe 4256 nanocore.exe 4256 nanocore.exe 4256 nanocore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4256 nanocore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4256 nanocore.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4256 wrote to memory of 4620 4256 nanocore.exe 81 PID 4256 wrote to memory of 4620 4256 nanocore.exe 81 PID 4256 wrote to memory of 4620 4256 nanocore.exe 81 PID 4256 wrote to memory of 2904 4256 nanocore.exe 83 PID 4256 wrote to memory of 2904 4256 nanocore.exe 83 PID 4256 wrote to memory of 2904 4256 nanocore.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\nanocore.exe"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp"2⤵
- Creates scheduled task(s)
PID:4620
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C3A.tmp"2⤵
- Creates scheduled task(s)
PID:2904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c1537facbed38a07cf8821a32f017448
SHA14c5f1d0254eb77121a18368e4d4ee285c79788cd
SHA2569901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a
SHA512fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a
-
Filesize
1KB
MD5da7aec92f4b1e721f6eeccec52db4901
SHA1e1bc32c2277c42aec2356f6242ee427af53c2a52
SHA2567bcfd205f07bffa61c788644c1d6639d03126c46fdbd6550f7e21795dc78b3c0
SHA512340e234cdfb1b327369378131629f0ff5538c6a1c578c59bfc1b66442ff3f5793f119db13b8d3f158969071eb0fc0c7fbe5c79094572fac0cea528489bf11720