Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 22:37
Static task
static1
Behavioral task
behavioral1
Sample
Nanocore.exe
Resource
win10v2004-20230220-en
General
-
Target
Nanocore.exe
-
Size
1.5MB
-
MD5
18cc0a0c22f147a3e4bf9c55777b4f22
-
SHA1
f0b3b4fd6287b463055ddd9fe75b528559feaef7
-
SHA256
1c90851dce5ace39a0926588f0034e99d3bae32dea2578b68bdb1add7c9508e1
-
SHA512
efc01522d816d7a770c4e7a379caf00b81a43f24db313dcc3cd1ec5c32117dce4b4ebba2f1db210abb6dc659e18b3a74045f584f413dd620e0e83a6dea45b47e
-
SSDEEP
24576:yKWAN/6zZxEhXMV6ISdu+0TVc4SEltlYKwIPapqBwKYp9cHD2iYUdhwB/QqWJXpF:yhAN/6z3E9MV6ISdulTVcQ0IlYLcHD9v
Malware Config
Extracted
xworm
considered-arrest.at.ply.gg:19159
-
install_file
USB.exe
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Nanocore.exeWindows Defender.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation Nanocore.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation Windows Defender.exe -
Drops startup file 2 IoCs
Processes:
Windows Defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk Windows Defender.exe -
Executes dropped EXE 4 IoCs
Processes:
NanoCore.exeWindows Defender.exeWindows Defender.exeWindows Defender.exepid process 5112 NanoCore.exe 1248 Windows Defender.exe 3812 Windows Defender.exe 3312 Windows Defender.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Defender.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe" Windows Defender.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Defender.exepid process 1248 Windows Defender.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Windows Defender.exeNanoCore.exedw20.exeWindows Defender.exeWindows Defender.exedescription pid process Token: SeDebugPrivilege 1248 Windows Defender.exe Token: SeDebugPrivilege 5112 NanoCore.exe Token: SeRestorePrivilege 4588 dw20.exe Token: SeBackupPrivilege 4588 dw20.exe Token: SeBackupPrivilege 4588 dw20.exe Token: SeBackupPrivilege 4588 dw20.exe Token: SeBackupPrivilege 4588 dw20.exe Token: SeDebugPrivilege 1248 Windows Defender.exe Token: SeDebugPrivilege 3812 Windows Defender.exe Token: SeDebugPrivilege 3312 Windows Defender.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Defender.exepid process 1248 Windows Defender.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Nanocore.exeNanoCore.exeWindows Defender.exedescription pid process target process PID 1424 wrote to memory of 5112 1424 Nanocore.exe NanoCore.exe PID 1424 wrote to memory of 5112 1424 Nanocore.exe NanoCore.exe PID 1424 wrote to memory of 5112 1424 Nanocore.exe NanoCore.exe PID 1424 wrote to memory of 1248 1424 Nanocore.exe Windows Defender.exe PID 1424 wrote to memory of 1248 1424 Nanocore.exe Windows Defender.exe PID 5112 wrote to memory of 4588 5112 NanoCore.exe dw20.exe PID 5112 wrote to memory of 4588 5112 NanoCore.exe dw20.exe PID 5112 wrote to memory of 4588 5112 NanoCore.exe dw20.exe PID 1248 wrote to memory of 3472 1248 Windows Defender.exe schtasks.exe PID 1248 wrote to memory of 3472 1248 Windows Defender.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nanocore.exe"C:\Users\Admin\AppData\Local\Temp\Nanocore.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NanoCore.exe"C:\Users\Admin\AppData\Roaming\NanoCore.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 11683⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exe"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exe"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exe"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Roaming\NanoCore.exeFilesize
1.4MB
MD51728acc244115cbafd3b810277d2e321
SHA1be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA5128c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
-
C:\Users\Admin\AppData\Roaming\NanoCore.exeFilesize
1.4MB
MD51728acc244115cbafd3b810277d2e321
SHA1be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA5128c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
-
C:\Users\Admin\AppData\Roaming\NanoCore.exeFilesize
1.4MB
MD51728acc244115cbafd3b810277d2e321
SHA1be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA5128c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
memory/1248-169-0x000000001C9D0000-0x000000001C9E0000-memory.dmpFilesize
64KB
-
memory/1248-167-0x000000001C9D0000-0x000000001C9E0000-memory.dmpFilesize
64KB
-
memory/1248-156-0x0000000000690000-0x00000000006A8000-memory.dmpFilesize
96KB
-
memory/1424-133-0x00000000009B0000-0x0000000000B2E000-memory.dmpFilesize
1.5MB
-
memory/5112-166-0x00000000013E0000-0x00000000013F0000-memory.dmpFilesize
64KB
-
memory/5112-159-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/5112-158-0x00000000013E0000-0x00000000013F0000-memory.dmpFilesize
64KB