Overview
overview
10Static
static
10nanacore/1.exe
windows10-2004-x64
10nanacore/C...in.dll
windows10-2004-x64
1nanacore/NanoCore.exe
windows10-2004-x64
1nanacore/P...er.exe
windows10-2004-x64
1nanacore/S...in.dll
windows10-2004-x64
1nanacore/S...te.dll
windows10-2004-x64
1nanacore/client.exe
windows10-2004-x64
10nanacore/x...op.dll
windows10-2004-x64
1nanacore/x...op.dll
windows10-2004-x64
1Analysis
-
max time kernel
59s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 22:03
Behavioral task
behavioral1
Sample
nanacore/1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
nanacore/ClientPlugin.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
nanacore/NanoCore.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
nanacore/PluginCompiler.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
nanacore/ServerPlugin.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
nanacore/System.Data.SQLite.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
nanacore/client.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral8
Sample
nanacore/x64/SQLite.Interop.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
nanacore/x86/SQLite.Interop.dll
Resource
win10v2004-20230220-en
General
-
Target
nanacore/1.exe
-
Size
202KB
-
MD5
7262cd751358cfecb8d31ff81575ac29
-
SHA1
fcab5f0e392ae5477635a7ced23bd1d377e69e16
-
SHA256
4667ca924aa5cbfd0a793da30825f5cb7ea98b2ddf83377c7b6ed91d73c3420c
-
SHA512
eaaead267bbcf1bda32d7f978493a02f6f87ae5c2af7d5d3ff67ee0d097d540e3ae3c222282b7c97edbbda9a31b608e69db2374aab2346b7f25108912173c7ef
-
SSDEEP
3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HItMzhzRWEV9UWlv38SAB:wLV6Bta6dtJmakIM5NFAyUWlv3PAB
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Host = "C:\\Program Files (x86)\\DPI Host\\dpihost.exe" 1.exe -
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1.exedescription ioc process File created C:\Program Files (x86)\DPI Host\dpihost.exe 1.exe File opened for modification C:\Program Files (x86)\DPI Host\dpihost.exe 1.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
1.exepid process 1120 1.exe 1120 1.exe 1120 1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1.exepid process 1120 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1.exedescription pid process Token: SeDebugPrivilege 1120 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nanacore\1.exe"C:\Users\Admin\AppData\Local\Temp\nanacore\1.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-133-0x0000000000A20000-0x0000000000A30000-memory.dmpFilesize
64KB
-
memory/1120-136-0x0000000000A20000-0x0000000000A30000-memory.dmpFilesize
64KB
-
memory/1120-137-0x0000000000A20000-0x0000000000A30000-memory.dmpFilesize
64KB
-
memory/1120-138-0x0000000000A20000-0x0000000000A30000-memory.dmpFilesize
64KB