Analysis

  • max time kernel
    108s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/11/2022, 07:04

General

  • Target

    nanocore.exe

  • Size

    203KB

  • MD5

    ed5717c73d6154878680094160a47372

  • SHA1

    c72a730a739a61f1ba59c9cda6360fa73ece3f80

  • SHA256

    16cac6ab6a3818548a35543c5ec18b5802e9e768cdb89c8f0459a2992d30deac

  • SHA512

    90c23a8bbe5974a7c4bb0584e9e09942f35e115ce2ddff4457c0c33128ea189e4082dbf94fea938d3dc93a51bf147fb6aeef05220ec98d62780d65a3abc899cf

  • SSDEEP

    6144:MLV6Bta6dtJmakIM5PBGmPDZ1ZgJB6QUWk:MLV6BtpmkOBGmPDZ1gB65Wk

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nanocore.exe
    "C:\Users\Admin\AppData\Local\Temp\nanocore.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "PCI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4620
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "PCI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C3A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2904

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp

          Filesize

          1KB

          MD5

          c1537facbed38a07cf8821a32f017448

          SHA1

          4c5f1d0254eb77121a18368e4d4ee285c79788cd

          SHA256

          9901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a

          SHA512

          fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a

        • C:\Users\Admin\AppData\Local\Temp\tmp7C3A.tmp

          Filesize

          1KB

          MD5

          da7aec92f4b1e721f6eeccec52db4901

          SHA1

          e1bc32c2277c42aec2356f6242ee427af53c2a52

          SHA256

          7bcfd205f07bffa61c788644c1d6639d03126c46fdbd6550f7e21795dc78b3c0

          SHA512

          340e234cdfb1b327369378131629f0ff5538c6a1c578c59bfc1b66442ff3f5793f119db13b8d3f158969071eb0fc0c7fbe5c79094572fac0cea528489bf11720

        • memory/4256-133-0x00000000753C0000-0x0000000075971000-memory.dmp

          Filesize

          5.7MB

        • memory/4256-137-0x00000000753C0000-0x0000000075971000-memory.dmp

          Filesize

          5.7MB