Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 12:18
Behavioral task
behavioral1
Sample
nanocore.exe
Resource
win7-20220812-en
General
-
Target
nanocore.exe
-
Size
203KB
-
MD5
d262a39ae9070fe568b3d5c0fbab50ae
-
SHA1
deeb952a38460ffa85a1004865ca2b777757a1bd
-
SHA256
8541a15e2d7858556440d7b3e9196778058433d35f508eac051afc351966c983
-
SHA512
7e370ff52916a50b9c94789eea25c86fc2ad1fe1cefd5d0b3ddea5fe23be67f3328c17eec3d952e9e6ba19dd744358705c13648ac040561c07eb11391045b25f
-
SSDEEP
3072:UzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPFhtrUIEPOoDGUL3Ko64+nS26:ULV6Bta6dtJmakIM5sh80UOo9+nA53R
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nanocore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" nanocore.exe -
Processes:
nanocore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nanocore.exe -
Drops file in Program Files directory 2 IoCs
Processes:
nanocore.exedescription ioc process File created C:\Program Files (x86)\SCSI Service\scsisvc.exe nanocore.exe File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe nanocore.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
nanocore.exepid process 872 nanocore.exe 872 nanocore.exe 872 nanocore.exe 872 nanocore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
nanocore.exepid process 872 nanocore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nanocore.exedescription pid process Token: SeDebugPrivilege 872 nanocore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
nanocore.exedescription pid process target process PID 872 wrote to memory of 368 872 nanocore.exe schtasks.exe PID 872 wrote to memory of 368 872 nanocore.exe schtasks.exe PID 872 wrote to memory of 368 872 nanocore.exe schtasks.exe PID 872 wrote to memory of 368 872 nanocore.exe schtasks.exe PID 872 wrote to memory of 1304 872 nanocore.exe schtasks.exe PID 872 wrote to memory of 1304 872 nanocore.exe schtasks.exe PID 872 wrote to memory of 1304 872 nanocore.exe schtasks.exe PID 872 wrote to memory of 1304 872 nanocore.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nanocore.exe"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp23A8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7F9D.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp23A8.tmpFilesize
1KB
MD5c1537facbed38a07cf8821a32f017448
SHA14c5f1d0254eb77121a18368e4d4ee285c79788cd
SHA2569901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a
SHA512fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a
-
memory/368-56-0x0000000000000000-mapping.dmp
-
memory/872-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmpFilesize
8KB
-
memory/872-55-0x00000000740B0000-0x000000007465B000-memory.dmpFilesize
5.7MB
-
memory/872-58-0x00000000740B0000-0x000000007465B000-memory.dmpFilesize
5.7MB
-
memory/1304-59-0x0000000000000000-mapping.dmp