Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-01-2023 06:04
Behavioral task
behavioral1
Sample
Setup NanoCore.exe
Resource
win7-20220812-en
General
-
Target
Setup NanoCore.exe
-
Size
502KB
-
MD5
2432a79f87ae0700a2f681bb4c80fc7d
-
SHA1
7305644f24889c2d1184b1917427ef73b25b3c9d
-
SHA256
462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0
-
SHA512
ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72
-
SSDEEP
6144:oTEgdc0YZXbZvdo6EsRwdCO+ZSOD/A6uscEwqb8F9WQLSqYYcTR32:oTEgdfYvdo6VZksgN7S1Ycd2
Malware Config
Extracted
quasar
1.4.0
Office01
192.168.126.1:4782
5.165.98.151:4782
a85aa22e-e90d-4495-8562-3795974d8493
-
encryption_key
11F19CA636E6BC02F3A0417454F784805D789D97
-
install_name
NanoCore.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Startup
-
subdirectory
AntiMalware Service Рфслув
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1344-54-0x0000000000220000-0x00000000002A4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe family_quasar C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe family_quasar behavioral1/memory/1676-60-0x00000000001E0000-0x0000000000264000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
NanoCore.exepid process 1676 NanoCore.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Setup NanoCore.exeNanoCore.exedescription pid process Token: SeDebugPrivilege 1344 Setup NanoCore.exe Token: SeDebugPrivilege 1676 NanoCore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NanoCore.exepid process 1676 NanoCore.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Setup NanoCore.exeNanoCore.exedescription pid process target process PID 1344 wrote to memory of 824 1344 Setup NanoCore.exe schtasks.exe PID 1344 wrote to memory of 824 1344 Setup NanoCore.exe schtasks.exe PID 1344 wrote to memory of 824 1344 Setup NanoCore.exe schtasks.exe PID 1344 wrote to memory of 1676 1344 Setup NanoCore.exe NanoCore.exe PID 1344 wrote to memory of 1676 1344 Setup NanoCore.exe NanoCore.exe PID 1344 wrote to memory of 1676 1344 Setup NanoCore.exe NanoCore.exe PID 1676 wrote to memory of 1756 1676 NanoCore.exe schtasks.exe PID 1676 wrote to memory of 1756 1676 NanoCore.exe schtasks.exe PID 1676 wrote to memory of 1756 1676 NanoCore.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe"C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe"C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exeFilesize
502KB
MD52432a79f87ae0700a2f681bb4c80fc7d
SHA17305644f24889c2d1184b1917427ef73b25b3c9d
SHA256462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0
SHA512ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72
-
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exeFilesize
502KB
MD52432a79f87ae0700a2f681bb4c80fc7d
SHA17305644f24889c2d1184b1917427ef73b25b3c9d
SHA256462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0
SHA512ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72
-
memory/824-56-0x0000000000000000-mapping.dmp
-
memory/1344-54-0x0000000000220000-0x00000000002A4000-memory.dmpFilesize
528KB
-
memory/1344-55-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmpFilesize
8KB
-
memory/1676-57-0x0000000000000000-mapping.dmp
-
memory/1676-60-0x00000000001E0000-0x0000000000264000-memory.dmpFilesize
528KB
-
memory/1756-62-0x0000000000000000-mapping.dmp