Overview
overview
10Static
static
10NanoCore 1...in.dll
windows10-2004-x64
1NanoCore 1...ex.exe
windows10-2004-x64
10NanoCore 1...er.exe
windows10-2004-x64
1NanoCore 1...in.dll
windows10-2004-x64
1NanoCore 1...te.dll
windows10-2004-x64
1NanoCore 1...nt.exe
windows10-2004-x64
10NanoCore 1...op.dll
windows10-2004-x64
1NanoCore 1...op.dll
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 21:37
Behavioral task
behavioral1
Sample
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/ClientPlugin.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/NanoCorex.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/PluginCompiler.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/ServerPlugin.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/System.Data.SQLite.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral6
Sample
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/client.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/x64/SQLite.Interop.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/x86/SQLite.Interop.dll
Resource
win10v2004-20230220-en
General
-
Target
NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/NanoCorex.exe
-
Size
5.5MB
-
MD5
86e969198fa021717306f6e1fa91f548
-
SHA1
8ff9dc70c623824f91c75af4a4a57b62cea0f0b3
-
SHA256
5d66f49d642c092195beca3500408edd09409fefc65284ec3f69a8454dc3dfa7
-
SHA512
36d9d1a468575aa2a76c486a61fa430eae095f5ec24c75915523b758339d00844b5695665101740cce1c3cc61ed3bf8014d623a02feddfbd06cfa2db06761f0e
-
SSDEEP
98304:TJnZwQ8/VAQRxdsPKJ/lRM/oO3FX5Tz1m2HK1LtKfDAy9Yi7O+Kx:TJWQ8/GQDd3JjPOVXRzPHGL4fDAy9Yiq
Malware Config
Signatures
-
XMRig Miner payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/696-161-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-162-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-163-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-164-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-165-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-166-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-192-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-193-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-200-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-205-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-206-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-207-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-208-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-209-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-210-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-211-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-212-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/696-213-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NanoCorex.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation NanoCorex.exe -
Executes dropped EXE 2 IoCs
Processes:
TiWorker.exeNanoCore.exepid process 696 TiWorker.exe 3668 NanoCore.exe -
Drops file in System32 directory 6 IoCs
Processes:
NanoCorex.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config.json NanoCorex.exe File created C:\Windows\SysWOW64\MicrosoftWindows.xml NanoCorex.exe File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml NanoCorex.exe File created C:\Windows\SysWOW64\TiWorker.exe NanoCorex.exe File opened for modification C:\Windows\SysWOW64\TiWorker.exe NanoCorex.exe File created C:\Windows\SysWOW64\config.json NanoCorex.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
NanoCorex.exepid process 1200 NanoCorex.exe 1200 NanoCorex.exe 1200 NanoCorex.exe 1200 NanoCorex.exe 1200 NanoCorex.exe 1200 NanoCorex.exe 1200 NanoCorex.exe 1200 NanoCorex.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TiWorker.exeNanoCore.exedescription pid process Token: SeLockMemoryPrivilege 696 TiWorker.exe Token: SeDebugPrivilege 3668 NanoCore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
NanoCore.exepid process 3668 NanoCore.exe 3668 NanoCore.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
NanoCorex.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1200 wrote to memory of 3308 1200 NanoCorex.exe cmd.exe PID 1200 wrote to memory of 3308 1200 NanoCorex.exe cmd.exe PID 3308 wrote to memory of 3740 3308 cmd.exe schtasks.exe PID 3308 wrote to memory of 3740 3308 cmd.exe schtasks.exe PID 3308 wrote to memory of 488 3308 cmd.exe schtasks.exe PID 3308 wrote to memory of 488 3308 cmd.exe schtasks.exe PID 1200 wrote to memory of 228 1200 NanoCorex.exe cmd.exe PID 1200 wrote to memory of 228 1200 NanoCorex.exe cmd.exe PID 228 wrote to memory of 1288 228 cmd.exe schtasks.exe PID 228 wrote to memory of 1288 228 cmd.exe schtasks.exe PID 1200 wrote to memory of 1592 1200 NanoCorex.exe cmd.exe PID 1200 wrote to memory of 1592 1200 NanoCorex.exe cmd.exe PID 1592 wrote to memory of 4348 1592 cmd.exe netsh.exe PID 1592 wrote to memory of 4348 1592 cmd.exe netsh.exe PID 1200 wrote to memory of 4812 1200 NanoCorex.exe cmd.exe PID 1200 wrote to memory of 4812 1200 NanoCorex.exe cmd.exe PID 4812 wrote to memory of 2864 4812 cmd.exe netsh.exe PID 4812 wrote to memory of 2864 4812 cmd.exe netsh.exe PID 1200 wrote to memory of 4232 1200 NanoCorex.exe cmd.exe PID 1200 wrote to memory of 4232 1200 NanoCorex.exe cmd.exe PID 4232 wrote to memory of 2820 4232 cmd.exe schtasks.exe PID 4232 wrote to memory of 2820 4232 cmd.exe schtasks.exe PID 1200 wrote to memory of 3788 1200 NanoCorex.exe cmd.exe PID 1200 wrote to memory of 3788 1200 NanoCorex.exe cmd.exe PID 3788 wrote to memory of 4548 3788 cmd.exe schtasks.exe PID 3788 wrote to memory of 4548 3788 cmd.exe schtasks.exe PID 3788 wrote to memory of 732 3788 cmd.exe schtasks.exe PID 3788 wrote to memory of 732 3788 cmd.exe schtasks.exe PID 1200 wrote to memory of 5080 1200 NanoCorex.exe cmd.exe PID 1200 wrote to memory of 5080 1200 NanoCorex.exe cmd.exe PID 5080 wrote to memory of 1688 5080 cmd.exe certutil.exe PID 5080 wrote to memory of 1688 5080 cmd.exe certutil.exe PID 1200 wrote to memory of 3668 1200 NanoCorex.exe NanoCore.exe PID 1200 wrote to memory of 3668 1200 NanoCorex.exe NanoCore.exe PID 1200 wrote to memory of 3668 1200 NanoCorex.exe NanoCore.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "WindowsUpdate"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "WindowsUpdate" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil –addstore –f root MicrosoftWindows.crt3⤵
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TiWorker.exeC:\Windows\SysWOW64\TiWorker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crtFilesize
1KB
MD51bb617d3aab1dbe2ec2e4a90bf824846
SHA1bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA2561bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crtFilesize
1KB
MD51bb617d3aab1dbe2ec2e4a90bf824846
SHA1bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA2561bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exeFilesize
1.4MB
MD51728acc244115cbafd3b810277d2e321
SHA1be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA5128c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exeFilesize
1.4MB
MD51728acc244115cbafd3b810277d2e321
SHA1be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA5128c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
-
C:\Users\Admin\AppData\Local\Temp\autBBD3.tmpFilesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
C:\Windows\SysWOW64\MicrosoftWindows.xmlFilesize
4KB
MD5b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA15c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA25696f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7
-
C:\Windows\SysWOW64\TiWorker.exeFilesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
C:\Windows\SysWOW64\config.jsonFilesize
1011B
MD53da156f2d3307118a8e2c569be30bc87
SHA1335678ca235af3736677bd8039e25a6c1ee5efca
SHA256f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA51259748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0
-
\??\c:\windows\syswow64\tiworker.exeFilesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
memory/696-200-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-164-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-165-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-166-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-163-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-162-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-161-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-213-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-212-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-158-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-211-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-210-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-209-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-208-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-207-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-206-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-192-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-193-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/696-205-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3668-178-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-196-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-197-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-198-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-199-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-195-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-201-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-202-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-194-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-190-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-189-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-183-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-181-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-180-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-179-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3668-177-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/3668-176-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB