Analysis Overview
SHA256
16cac6ab6a3818548a35543c5ec18b5802e9e768cdb89c8f0459a2992d30deac
Threat Level: Known bad
The file nanocore.payload-disk was found to be: Known bad.
Malicious Activity Summary
Nanocore family
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-16 07:04
Signatures
Nanocore family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-16 07:04
Reported
2022-11-16 07:07
Platform
win7-20221111-en
Max time kernel
35s
Max time network
149s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ISS Manager\issmgr.exe | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ISS Manager\issmgr.exe | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2020 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2020 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2020 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2020 wrote to memory of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2020 wrote to memory of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2020 wrote to memory of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2020 wrote to memory of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\nanocore.exe
"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFFA.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | nanomalay23.hopto.org | udp |
| N/A | 85.208.136.69:6932 | nanomalay23.hopto.org | tcp |
| N/A | 176.113.115.157:419 | tcp | |
| N/A | 176.113.115.155:419 | tcp | |
| N/A | 176.113.115.156:419 | tcp | |
| N/A | 80.66.75.4:419 | tcp | |
| N/A | 176.113.115.154:419 | tcp | |
| N/A | 213.91.128.133:10060 | tcp | |
| N/A | 176.113.115.153:419 | tcp |
Files
memory/2020-54-0x00000000767B1000-0x00000000767B3000-memory.dmp
memory/1212-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp
| MD5 | c1537facbed38a07cf8821a32f017448 |
| SHA1 | 4c5f1d0254eb77121a18368e4d4ee285c79788cd |
| SHA256 | 9901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a |
| SHA512 | fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a |
memory/1512-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFFA.tmp
| MD5 | ea7095fa975a5ac043c9de2899ce61d0 |
| SHA1 | ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3 |
| SHA256 | 5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f |
| SHA512 | b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb |
memory/2020-59-0x0000000074F70000-0x000000007551B000-memory.dmp
memory/2020-60-0x0000000074F70000-0x000000007551B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-16 07:04
Reported
2022-11-16 07:07
Platform
win10v2004-20221111-en
Max time kernel
108s
Max time network
148s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe" | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PCI Manager\pcimgr.exe | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| File opened for modification | C:\Program Files (x86)\PCI Manager\pcimgr.exe | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4256 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4256 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4256 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4256 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4256 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4256 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\nanocore.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\nanocore.exe
"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C3A.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | nanomalay23.hopto.org | udp |
| N/A | 85.208.136.69:6932 | nanomalay23.hopto.org | tcp |
| N/A | 20.189.173.14:443 | tcp | |
| N/A | 20.123.104.105:443 | tcp | |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 67.26.105.254:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/4620-132-0x0000000000000000-mapping.dmp
memory/4256-133-0x00000000753C0000-0x0000000075971000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp
| MD5 | c1537facbed38a07cf8821a32f017448 |
| SHA1 | 4c5f1d0254eb77121a18368e4d4ee285c79788cd |
| SHA256 | 9901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a |
| SHA512 | fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a |
memory/2904-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7C3A.tmp
| MD5 | da7aec92f4b1e721f6eeccec52db4901 |
| SHA1 | e1bc32c2277c42aec2356f6242ee427af53c2a52 |
| SHA256 | 7bcfd205f07bffa61c788644c1d6639d03126c46fdbd6550f7e21795dc78b3c0 |
| SHA512 | 340e234cdfb1b327369378131629f0ff5538c6a1c578c59bfc1b66442ff3f5793f119db13b8d3f158969071eb0fc0c7fbe5c79094572fac0cea528489bf11720 |
memory/4256-137-0x00000000753C0000-0x0000000075971000-memory.dmp