Analysis
-
max time kernel
128s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2023 06:04
Behavioral task
behavioral1
Sample
Setup NanoCore.exe
Resource
win7-20220812-en
General
-
Target
Setup NanoCore.exe
-
Size
502KB
-
MD5
2432a79f87ae0700a2f681bb4c80fc7d
-
SHA1
7305644f24889c2d1184b1917427ef73b25b3c9d
-
SHA256
462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0
-
SHA512
ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72
-
SSDEEP
6144:oTEgdc0YZXbZvdo6EsRwdCO+ZSOD/A6uscEwqb8F9WQLSqYYcTR32:oTEgdfYvdo6VZksgN7S1Ycd2
Malware Config
Extracted
quasar
1.4.0
Office01
192.168.126.1:4782
5.165.98.151:4782
a85aa22e-e90d-4495-8562-3795974d8493
-
encryption_key
11F19CA636E6BC02F3A0417454F784805D789D97
-
install_name
NanoCore.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Startup
-
subdirectory
AntiMalware Service Рфслув
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4572-132-0x0000000000F20000-0x0000000000FA4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe family_quasar C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
NanoCore.exepid process 2496 NanoCore.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4516 schtasks.exe 4884 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Setup NanoCore.exeNanoCore.exedescription pid process Token: SeDebugPrivilege 4572 Setup NanoCore.exe Token: SeDebugPrivilege 2496 NanoCore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NanoCore.exepid process 2496 NanoCore.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Setup NanoCore.exeNanoCore.exedescription pid process target process PID 4572 wrote to memory of 4516 4572 Setup NanoCore.exe schtasks.exe PID 4572 wrote to memory of 4516 4572 Setup NanoCore.exe schtasks.exe PID 4572 wrote to memory of 2496 4572 Setup NanoCore.exe NanoCore.exe PID 4572 wrote to memory of 2496 4572 Setup NanoCore.exe NanoCore.exe PID 2496 wrote to memory of 4884 2496 NanoCore.exe schtasks.exe PID 2496 wrote to memory of 4884 2496 NanoCore.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe"C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe"C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exeFilesize
502KB
MD52432a79f87ae0700a2f681bb4c80fc7d
SHA17305644f24889c2d1184b1917427ef73b25b3c9d
SHA256462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0
SHA512ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72
-
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exeFilesize
502KB
MD52432a79f87ae0700a2f681bb4c80fc7d
SHA17305644f24889c2d1184b1917427ef73b25b3c9d
SHA256462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0
SHA512ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72
-
memory/2496-135-0x0000000000000000-mapping.dmp
-
memory/2496-139-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmpFilesize
10.8MB
-
memory/2496-141-0x0000000002870000-0x00000000028C0000-memory.dmpFilesize
320KB
-
memory/2496-142-0x000000001CE20000-0x000000001CED2000-memory.dmpFilesize
712KB
-
memory/2496-143-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmpFilesize
10.8MB
-
memory/4516-134-0x0000000000000000-mapping.dmp
-
memory/4572-132-0x0000000000F20000-0x0000000000FA4000-memory.dmpFilesize
528KB
-
memory/4572-133-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmpFilesize
10.8MB
-
memory/4572-138-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmpFilesize
10.8MB
-
memory/4884-140-0x0000000000000000-mapping.dmp