xmrig | 517f321c489f68449571c735e9c1cbae5d3241a6872972b687be97d2b5d04903

Analysis

max time kernel
306s
max time network
318s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2023, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/NanoCorex.exe
Size

5.5MB
MD5

86e969198fa021717306f6e1fa91f548
SHA1

8ff9dc70c623824f91c75af4a4a57b62cea0f0b3
SHA256

5d66f49d642c092195beca3500408edd09409fefc65284ec3f69a8454dc3dfa7
SHA512

36d9d1a468575aa2a76c486a61fa430eae095f5ec24c75915523b758339d00844b5695665101740cce1c3cc61ed3bf8014d623a02feddfbd06cfa2db06761f0e
SSDEEP

98304:TJnZwQ8/VAQRxdsPKJ/lRM/oO3FX5Tz1m2HK1LtKfDAy9Yi7O+Kx:TJWQ8/GQDd3JjPOVXRzPHGL4fDAy9Yiq

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 37 IoCs

miner

resource	yara_rule
behavioral1/memory/3664-162-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-164-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-169-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-170-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-171-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-177-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-181-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-194-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-197-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-206-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-207-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-208-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-209-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-210-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-212-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-213-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-215-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-216-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-231-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-300-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-301-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-302-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-303-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-304-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-305-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-306-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-307-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-324-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-325-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-326-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-327-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-328-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-329-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-331-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-332-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-333-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/3664-334-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3368	netsh.exe
1808	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	NanoCorex.exe

Executes dropped EXE 2 IoCs

pid	Process
3664	TiWorker.exe
4620	NanoCore.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MicrosoftWindows.xml	NanoCorex.exe
File opened for modification	C:\Windows\SysWOW64\MicrosoftWindows.xml	NanoCorex.exe
File created	C:\Windows\SysWOW64\TiWorker.exe	NanoCorex.exe
File opened for modification	C:\Windows\SysWOW64\TiWorker.exe	NanoCorex.exe
File created	C:\Windows\SysWOW64\config.json	NanoCorex.exe
File opened for modification	C:\Windows\SysWOW64\config.json	NanoCorex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2120	4276	WerFault.exe	18

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4228	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}	OneDrive.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000007956f9b610004c6f63616c003c0009000400efbe545642a57956fbb62e000000aae10100000001000000000000000000000000000000a17f3c004c006f00630061006c00000014000000	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NanoCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NanoCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NanoCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1\ = "SyncEngineStorageProviderHandlerProxy Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win64	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NanoCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	NanoCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\VersionIndependentProgID\ = "SyncEngineCOMServer.SyncEngineCOMServer"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ = "IFileSyncClient2"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ = "FileSyncEx"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID\ = "StorageProviderUriSource.StorageProviderUriSource.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	NanoCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ = "IFileUploadCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\Version = "1.0"	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3972	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1552	NanoCorex.exe
1552	NanoCorex.exe
1552	NanoCorex.exe
1552	NanoCorex.exe
1552	NanoCorex.exe
1552	NanoCorex.exe
1552	NanoCorex.exe
1552	NanoCorex.exe
3972	OneDrive.exe
3972	OneDrive.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4620	NanoCore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	NanoCore.exe
Token: SeLockMemoryPrivilege	3664	TiWorker.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4620	NanoCore.exe
3972	OneDrive.exe
3972	OneDrive.exe
3972	OneDrive.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3972	OneDrive.exe
3972	OneDrive.exe
3972	OneDrive.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
4620	NanoCore.exe
3972	OneDrive.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1560	1552	NanoCorex.exe	85
PID 1552 wrote to memory of 1560	1552	NanoCorex.exe	85
PID 1560 wrote to memory of 3604	1560	cmd.exe	87
PID 1560 wrote to memory of 3604	1560	cmd.exe	87
PID 1560 wrote to memory of 3340	1560	cmd.exe	88
PID 1560 wrote to memory of 3340	1560	cmd.exe	88
PID 1552 wrote to memory of 208	1552	NanoCorex.exe	89
PID 1552 wrote to memory of 208	1552	NanoCorex.exe	89
PID 208 wrote to memory of 4372	208	cmd.exe	91
PID 208 wrote to memory of 4372	208	cmd.exe	91
PID 1552 wrote to memory of 2660	1552	NanoCorex.exe	92
PID 1552 wrote to memory of 2660	1552	NanoCorex.exe	92
PID 2660 wrote to memory of 3368	2660	cmd.exe	94
PID 2660 wrote to memory of 3368	2660	cmd.exe	94
PID 1552 wrote to memory of 4476	1552	NanoCorex.exe	97
PID 1552 wrote to memory of 4476	1552	NanoCorex.exe	97
PID 4476 wrote to memory of 1808	4476	cmd.exe	99
PID 4476 wrote to memory of 1808	4476	cmd.exe	99
PID 1552 wrote to memory of 1832	1552	NanoCorex.exe	100
PID 1552 wrote to memory of 1832	1552	NanoCorex.exe	100
PID 1832 wrote to memory of 4228	1832	cmd.exe	103
PID 1832 wrote to memory of 4228	1832	cmd.exe	103
PID 1552 wrote to memory of 1336	1552	NanoCorex.exe	104
PID 1552 wrote to memory of 1336	1552	NanoCorex.exe	104
PID 1336 wrote to memory of 3980	1336	cmd.exe	106
PID 1336 wrote to memory of 3980	1336	cmd.exe	106
PID 1336 wrote to memory of 5008	1336	cmd.exe	107
PID 1336 wrote to memory of 5008	1336	cmd.exe	107
PID 1552 wrote to memory of 2356	1552	NanoCorex.exe	110
PID 1552 wrote to memory of 2356	1552	NanoCorex.exe	110
PID 2356 wrote to memory of 2508	2356	cmd.exe	112
PID 2356 wrote to memory of 2508	2356	cmd.exe	112
PID 1552 wrote to memory of 4620	1552	NanoCorex.exe	114
PID 1552 wrote to memory of 4620	1552	NanoCorex.exe	114
PID 1552 wrote to memory of 4620	1552	NanoCorex.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe
"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:3604
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "WindowsUpdate"
    3⤵
    PID:3340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\system32\schtasks.exe
    schtasks /Delete /TN "WindowsUpdate" /F
    3⤵
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
    3⤵
    - Creates scheduled task(s)
    PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"
    3⤵
    PID:3980
- - C:\Windows\system32\schtasks.exe
    schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\system32\certutil.exe
    certutil –addstore –f root MicrosoftWindows.crt
    3⤵
    PID:2508
- C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe
  "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4620

C:\Windows\SysWOW64\TiWorker.exe
C:\Windows\SysWOW64\TiWorker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4276 -ip 4276
1⤵
PID:2448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4276 -s 2476
1⤵
- Program crash
PID:2120

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1396

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2024

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
a246b23375817dd69f85d856c2be1030

SHA1
f9ccdd770be1dd08663d6a428a4c1978d368215f

SHA256
a61b4e3fdfc5fb22884d402dc7031738879b79541e1dfa909b99952d0b568176

SHA512
4cc44396fee66638433408a6e5e69e51fb92d679c40d67cf70345564ae071e2c108dc67d54d4cf287888537722e60f186156efc8bf0ec8a41bceec6bfcdfb472

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt

Filesize
1KB

MD5
1bb617d3aab1dbe2ec2e4a90bf824846

SHA1
bbe179f1bdc4466661da3638420e6ca862bd50ca

SHA256
1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580

SHA512
ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

Filesize
1.4MB

MD5
1728acc244115cbafd3b810277d2e321

SHA1
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

SHA256
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

SHA512
8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

Download Submit
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

Filesize
1.4MB

MD5
1728acc244115cbafd3b810277d2e321

SHA1
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

SHA256
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

SHA512
8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA107.tmp

Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\autAB7A.tmp

Filesize
1KB

MD5
1bb617d3aab1dbe2ec2e4a90bf824846

SHA1
bbe179f1bdc4466661da3638420e6ca862bd50ca

SHA256
1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580

SHA512
ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

Download Submit
C:\Windows\SysWOW64\MicrosoftWindows.xml

Filesize
4KB

MD5
b1cbfcc7b7a5716a30b77f5dc5bb6135

SHA1
5c397ffd7a845b2fdf9e82ff73698784a91a2fb9

SHA256
96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430

SHA512
d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

Download Submit
C:\Windows\SysWOW64\TiWorker.exe

Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
C:\Windows\SysWOW64\config.json

Filesize
1011B

MD5
3da156f2d3307118a8e2c569be30bc87

SHA1
335678ca235af3736677bd8039e25a6c1ee5efca

SHA256
f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb

SHA512
59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0

Download Submit
\??\c:\windows\syswow64\tiworker.exe

Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
memory/3664-328-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-197-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-169-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-171-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-164-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-334-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-177-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-333-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-162-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-332-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-181-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-331-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-329-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-302-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-327-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-326-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-194-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-325-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-324-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-170-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-159-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-307-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-306-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-305-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-304-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-303-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-206-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-207-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-208-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-209-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-210-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-212-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-213-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-215-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-216-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-158-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-231-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-300-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3664-301-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4620-175-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-205-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-204-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-203-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-200-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-199-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-198-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-196-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-195-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-192-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-191-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-188-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-182-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-183-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-180-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-178-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/4620-176-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download