Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2023 15:41
Static task
static1
Behavioral task
behavioral1
Sample
nanobc.exe
Resource
win7-20230220-en
General
-
Target
nanobc.exe
-
Size
369KB
-
MD5
43209bda3c2993ca22a38d243a8e7747
-
SHA1
a684fb8f5063e5f130fff32d668741c3cc016698
-
SHA256
1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4
-
SHA512
d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa
-
SSDEEP
6144:m7XJ+YM8OJ7mEkoAUz1qp2fHmiIth7PkQm1aZX4:mN+Y47myAUzUseicPlN
Malware Config
Extracted
nanocore
1.2.2.0
blessed1234.duckdns.org:2023
a8941196-a5c4-4b0f-ba02-65265f59a258
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-12-30T14:36:15.993957836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2023
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a8941196-a5c4-4b0f-ba02-65265f59a258
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
blessed1234.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1564 svchost.exe 1216 svchost.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nanobc.exesvchost.exesvchost.exedescription pid process target process PID 1156 set thread context of 4696 1156 nanobc.exe RegAsm.exe PID 1564 set thread context of 1348 1564 svchost.exe RegAsm.exe PID 1216 set thread context of 5036 1216 svchost.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2168 schtasks.exe 4204 schtasks.exe 4996 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exepid process 4696 RegAsm.exe 4696 RegAsm.exe 4696 RegAsm.exe 4696 RegAsm.exe 4696 RegAsm.exe 4696 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 4696 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 4696 RegAsm.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
nanobc.execmd.exesvchost.execmd.exesvchost.execmd.exedescription pid process target process PID 1156 wrote to memory of 4696 1156 nanobc.exe RegAsm.exe PID 1156 wrote to memory of 4696 1156 nanobc.exe RegAsm.exe PID 1156 wrote to memory of 4696 1156 nanobc.exe RegAsm.exe PID 1156 wrote to memory of 4696 1156 nanobc.exe RegAsm.exe PID 1156 wrote to memory of 4696 1156 nanobc.exe RegAsm.exe PID 1156 wrote to memory of 4696 1156 nanobc.exe RegAsm.exe PID 1156 wrote to memory of 4696 1156 nanobc.exe RegAsm.exe PID 1156 wrote to memory of 4696 1156 nanobc.exe RegAsm.exe PID 1156 wrote to memory of 2124 1156 nanobc.exe cmd.exe PID 1156 wrote to memory of 2124 1156 nanobc.exe cmd.exe PID 1156 wrote to memory of 2124 1156 nanobc.exe cmd.exe PID 1156 wrote to memory of 2800 1156 nanobc.exe cmd.exe PID 1156 wrote to memory of 2800 1156 nanobc.exe cmd.exe PID 1156 wrote to memory of 2800 1156 nanobc.exe cmd.exe PID 1156 wrote to memory of 3476 1156 nanobc.exe cmd.exe PID 1156 wrote to memory of 3476 1156 nanobc.exe cmd.exe PID 1156 wrote to memory of 3476 1156 nanobc.exe cmd.exe PID 2800 wrote to memory of 2168 2800 cmd.exe schtasks.exe PID 2800 wrote to memory of 2168 2800 cmd.exe schtasks.exe PID 2800 wrote to memory of 2168 2800 cmd.exe schtasks.exe PID 1564 wrote to memory of 1348 1564 svchost.exe RegAsm.exe PID 1564 wrote to memory of 1348 1564 svchost.exe RegAsm.exe PID 1564 wrote to memory of 1348 1564 svchost.exe RegAsm.exe PID 1564 wrote to memory of 1348 1564 svchost.exe RegAsm.exe PID 1564 wrote to memory of 1348 1564 svchost.exe RegAsm.exe PID 1564 wrote to memory of 1348 1564 svchost.exe RegAsm.exe PID 1564 wrote to memory of 1348 1564 svchost.exe RegAsm.exe PID 1564 wrote to memory of 1348 1564 svchost.exe RegAsm.exe PID 1564 wrote to memory of 3016 1564 svchost.exe cmd.exe PID 1564 wrote to memory of 3016 1564 svchost.exe cmd.exe PID 1564 wrote to memory of 3016 1564 svchost.exe cmd.exe PID 1564 wrote to memory of 4604 1564 svchost.exe cmd.exe PID 1564 wrote to memory of 4604 1564 svchost.exe cmd.exe PID 1564 wrote to memory of 4604 1564 svchost.exe cmd.exe PID 1564 wrote to memory of 4332 1564 svchost.exe cmd.exe PID 1564 wrote to memory of 4332 1564 svchost.exe cmd.exe PID 1564 wrote to memory of 4332 1564 svchost.exe cmd.exe PID 4604 wrote to memory of 4204 4604 cmd.exe schtasks.exe PID 4604 wrote to memory of 4204 4604 cmd.exe schtasks.exe PID 4604 wrote to memory of 4204 4604 cmd.exe schtasks.exe PID 1216 wrote to memory of 5036 1216 svchost.exe RegAsm.exe PID 1216 wrote to memory of 5036 1216 svchost.exe RegAsm.exe PID 1216 wrote to memory of 5036 1216 svchost.exe RegAsm.exe PID 1216 wrote to memory of 5036 1216 svchost.exe RegAsm.exe PID 1216 wrote to memory of 5036 1216 svchost.exe RegAsm.exe PID 1216 wrote to memory of 5036 1216 svchost.exe RegAsm.exe PID 1216 wrote to memory of 5036 1216 svchost.exe RegAsm.exe PID 1216 wrote to memory of 5036 1216 svchost.exe RegAsm.exe PID 1216 wrote to memory of 4888 1216 svchost.exe cmd.exe PID 1216 wrote to memory of 4888 1216 svchost.exe cmd.exe PID 1216 wrote to memory of 4888 1216 svchost.exe cmd.exe PID 1216 wrote to memory of 4304 1216 svchost.exe cmd.exe PID 1216 wrote to memory of 4304 1216 svchost.exe cmd.exe PID 1216 wrote to memory of 4304 1216 svchost.exe cmd.exe PID 1216 wrote to memory of 336 1216 svchost.exe cmd.exe PID 1216 wrote to memory of 336 1216 svchost.exe cmd.exe PID 1216 wrote to memory of 336 1216 svchost.exe cmd.exe PID 4304 wrote to memory of 4996 4304 cmd.exe schtasks.exe PID 4304 wrote to memory of 4996 4304 cmd.exe schtasks.exe PID 4304 wrote to memory of 4996 4304 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nanobc.exe"C:\Users\Admin\AppData\Local\Temp\nanobc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\nanobc.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.logFilesize
517B
MD513f84b613e6a4dd2d82f7c44b2295a04
SHA1f9e07213c2825ecb28e732f3e66e07625747c4b3
SHA256d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33
SHA5123a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
369KB
MD543209bda3c2993ca22a38d243a8e7747
SHA1a684fb8f5063e5f130fff32d668741c3cc016698
SHA2561db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4
SHA512d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
369KB
MD543209bda3c2993ca22a38d243a8e7747
SHA1a684fb8f5063e5f130fff32d668741c3cc016698
SHA2561db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4
SHA512d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeFilesize
369KB
MD543209bda3c2993ca22a38d243a8e7747
SHA1a684fb8f5063e5f130fff32d668741c3cc016698
SHA2561db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4
SHA512d2f251870595fae9fb72e9582935dc6d16d2490cd0a42cff794e151855b5edd6efd221922b8fc286e0e458209126118cc24d705e5070169771f9b34c8ec909fa
-
memory/1156-134-0x0000000004C90000-0x0000000004CF6000-memory.dmpFilesize
408KB
-
memory/1156-135-0x0000000004E50000-0x0000000004E60000-memory.dmpFilesize
64KB
-
memory/1156-133-0x00000000002D0000-0x0000000000332000-memory.dmpFilesize
392KB
-
memory/1348-157-0x0000000004E30000-0x0000000004E40000-memory.dmpFilesize
64KB
-
memory/4696-141-0x0000000005210000-0x00000000057B4000-memory.dmpFilesize
5.6MB
-
memory/4696-151-0x0000000004EB0000-0x0000000004EC0000-memory.dmpFilesize
64KB
-
memory/4696-152-0x0000000004EB0000-0x0000000004EC0000-memory.dmpFilesize
64KB
-
memory/4696-148-0x0000000004EB0000-0x0000000004EC0000-memory.dmpFilesize
64KB
-
memory/4696-146-0x0000000004EB0000-0x0000000004EC0000-memory.dmpFilesize
64KB
-
memory/4696-144-0x00000000025A0000-0x00000000025AA000-memory.dmpFilesize
40KB
-
memory/4696-143-0x0000000004D00000-0x0000000004D9C000-memory.dmpFilesize
624KB
-
memory/4696-142-0x0000000004C60000-0x0000000004CF2000-memory.dmpFilesize
584KB
-
memory/4696-138-0x0000000000700000-0x0000000000738000-memory.dmpFilesize
224KB
-
memory/5036-163-0x0000000005820000-0x0000000005830000-memory.dmpFilesize
64KB