Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
nano.exe
Resource
win7-20240221-en
General
-
Target
nano.exe
-
Size
585KB
-
MD5
41d27d71597c9d1163fb58a816223962
-
SHA1
2ae197a2724967fb0ae77ee0c20d95d354b9e5cb
-
SHA256
b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c
-
SHA512
555aa48eaa46f83933e34c6e8ecaf79c8f1756fb9de79181e4132bc2d02c5789abba90458ad347a374f34fc829f83b36d6666f64a657bf7e99ca5cb9aac2e1a0
-
SSDEEP
12288:2aYEnxStMSe+LQMNQ7ZQhIyOQSNSY2CNZ+TB29JvNgRh:J/nxSiSCMNQFwt3Jx8gB29Jv2
Malware Config
Extracted
nanocore
1.2.2.0
2023endofyear.duckdns.org:15170
127.0.0.1:15170
68e7ea47-3f3c-4af7-9707-6d09d0468009
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-12-29T09:19:37.611227236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
15170
-
default_group
GLOBAL
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68e7ea47-3f3c-4af7-9707-6d09d0468009
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
2023endofyear.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 3976 powershell.exe 4684 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nano.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation nano.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nano.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe" nano.exe -
Processes:
nano.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nano.exedescription pid process target process PID 1316 set thread context of 4500 1316 nano.exe nano.exe -
Drops file in Program Files directory 2 IoCs
Processes:
nano.exedescription ioc process File created C:\Program Files (x86)\SCSI Host\scsihost.exe nano.exe File opened for modification C:\Program Files (x86)\SCSI Host\scsihost.exe nano.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4736 schtasks.exe 1436 schtasks.exe 2480 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exenano.exepid process 3976 powershell.exe 4684 powershell.exe 3976 powershell.exe 4684 powershell.exe 4500 nano.exe 4500 nano.exe 4500 nano.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
nano.exepid process 4500 nano.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exenano.exedescription pid process Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4500 nano.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
nano.exenano.exedescription pid process target process PID 1316 wrote to memory of 3976 1316 nano.exe powershell.exe PID 1316 wrote to memory of 3976 1316 nano.exe powershell.exe PID 1316 wrote to memory of 3976 1316 nano.exe powershell.exe PID 1316 wrote to memory of 4684 1316 nano.exe powershell.exe PID 1316 wrote to memory of 4684 1316 nano.exe powershell.exe PID 1316 wrote to memory of 4684 1316 nano.exe powershell.exe PID 1316 wrote to memory of 4736 1316 nano.exe schtasks.exe PID 1316 wrote to memory of 4736 1316 nano.exe schtasks.exe PID 1316 wrote to memory of 4736 1316 nano.exe schtasks.exe PID 1316 wrote to memory of 4500 1316 nano.exe nano.exe PID 1316 wrote to memory of 4500 1316 nano.exe nano.exe PID 1316 wrote to memory of 4500 1316 nano.exe nano.exe PID 1316 wrote to memory of 4500 1316 nano.exe nano.exe PID 1316 wrote to memory of 4500 1316 nano.exe nano.exe PID 1316 wrote to memory of 4500 1316 nano.exe nano.exe PID 1316 wrote to memory of 4500 1316 nano.exe nano.exe PID 1316 wrote to memory of 4500 1316 nano.exe nano.exe PID 4500 wrote to memory of 1436 4500 nano.exe schtasks.exe PID 4500 wrote to memory of 1436 4500 nano.exe schtasks.exe PID 4500 wrote to memory of 1436 4500 nano.exe schtasks.exe PID 4500 wrote to memory of 2480 4500 nano.exe schtasks.exe PID 4500 wrote to memory of 2480 4500 nano.exe schtasks.exe PID 4500 wrote to memory of 2480 4500 nano.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nano.exe"C:\Users\Admin\AppData\Local\Temp\nano.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\nano.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60CD.tmp"2⤵
- Creates scheduled task(s)
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\nano.exe"C:\Users\Admin\AppData\Local\Temp\nano.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6542.tmp"3⤵
- Creates scheduled task(s)
PID:1436 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6746.tmp"3⤵
- Creates scheduled task(s)
PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD566e95f30cc9608c46fe29171aa344bed
SHA14e000a9e24d0ced076aea3620fe2553b421bb627
SHA256935e37c3b4ea67e914e79c3bcd2b9d37168c85b592194ffa3f425fa861a688f8
SHA51260af86a6218bd4596d822ea504d19e3256cbbc090af256a0e90796db296a36d56ba5a55036ba9e6b872664c4f82d7e4c8160b70cf138942344d78b131523cc0e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4c1p0gep.4ck.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp60CD.tmpFilesize
1KB
MD5120d0406ea29f393fb1cef3adbc10d49
SHA13bf2a2173df54b09d73c3cf8a53f757a42a53ef4
SHA25657a29b09617075415da12c2c58d9fd0b3f80e4f53523d6667cb818619dc69b75
SHA5122fcc30c8fb629e12caad54e6315746463128bc7416f794c7349cc8fed06fe025296442f113926fa2e2fcc8da56dd55a8b79c642687193eb36d1ab9d9004c65c9
-
C:\Users\Admin\AppData\Local\Temp\tmp6542.tmpFilesize
1KB
MD5082cbbf4722a31333759fefb09e31258
SHA1baf14a5f6496b590dc89bd978b06acdfe66f4480
SHA2566fc807dc7258be0c9a45ce66659d4893c3fbecf33d08c4a4452153ba64022f69
SHA512e8576972437179a75afbe87d415d683ae8d80c33bab31626a93b481df87ad8207b87497360fd15986d94f6792b4aee50b9910fe41c4a799a64f54b575cccc6b5
-
C:\Users\Admin\AppData\Local\Temp\tmp6746.tmpFilesize
1KB
MD59a559f229be0944bc3dc813cde333f50
SHA10e97c97eea032b499ff060e799581e32beeceb09
SHA256a63d853679aa655cced3b62a10855c56f9efd9b50770738b408d728008f73330
SHA5124cbb2f77283500e86ecf79fd2cbd31d10c3af2fcf6c9a557ee0b1edead229dc07d63a5030b60df57458d52ef8c2a42ec199d2d4cdca387400d047df25b593c68
-
memory/1316-4-0x0000000004E00000-0x0000000004E0A000-memory.dmpFilesize
40KB
-
memory/1316-7-0x0000000005E30000-0x0000000005E38000-memory.dmpFilesize
32KB
-
memory/1316-8-0x0000000005E40000-0x0000000005E4C000-memory.dmpFilesize
48KB
-
memory/1316-9-0x0000000005EA0000-0x0000000005F1C000-memory.dmpFilesize
496KB
-
memory/1316-10-0x0000000008650000-0x00000000086EC000-memory.dmpFilesize
624KB
-
memory/1316-6-0x0000000005140000-0x0000000005154000-memory.dmpFilesize
80KB
-
memory/1316-5-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/1316-3-0x0000000004C70000-0x0000000004D02000-memory.dmpFilesize
584KB
-
memory/1316-2-0x0000000005180000-0x0000000005724000-memory.dmpFilesize
5.6MB
-
memory/1316-48-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/1316-0-0x000000007491E000-0x000000007491F000-memory.dmpFilesize
4KB
-
memory/1316-1-0x00000000001C0000-0x0000000000258000-memory.dmpFilesize
608KB
-
memory/3976-20-0x0000000005A50000-0x0000000005A72000-memory.dmpFilesize
136KB
-
memory/3976-87-0x0000000007BC0000-0x0000000007BCA000-memory.dmpFilesize
40KB
-
memory/3976-36-0x0000000006220000-0x0000000006574000-memory.dmpFilesize
3.3MB
-
memory/3976-101-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/3976-15-0x0000000002F00000-0x0000000002F36000-memory.dmpFilesize
216KB
-
memory/3976-22-0x0000000006140000-0x00000000061A6000-memory.dmpFilesize
408KB
-
memory/3976-16-0x0000000005AA0000-0x00000000060C8000-memory.dmpFilesize
6.2MB
-
memory/3976-23-0x00000000061B0000-0x0000000006216000-memory.dmpFilesize
408KB
-
memory/3976-19-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/3976-49-0x0000000006800000-0x000000000681E000-memory.dmpFilesize
120KB
-
memory/3976-50-0x00000000068D0000-0x000000000691C000-memory.dmpFilesize
304KB
-
memory/3976-18-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/3976-17-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/3976-91-0x0000000007D80000-0x0000000007D8E000-memory.dmpFilesize
56KB
-
memory/3976-90-0x0000000007D50000-0x0000000007D61000-memory.dmpFilesize
68KB
-
memory/3976-89-0x0000000007DD0000-0x0000000007E66000-memory.dmpFilesize
600KB
-
memory/3976-86-0x0000000007B50000-0x0000000007B6A000-memory.dmpFilesize
104KB
-
memory/3976-85-0x00000000081A0000-0x000000000881A000-memory.dmpFilesize
6.5MB
-
memory/3976-84-0x0000000007A20000-0x0000000007AC3000-memory.dmpFilesize
652KB
-
memory/3976-73-0x0000000071100000-0x000000007114C000-memory.dmpFilesize
304KB
-
memory/4500-60-0x0000000005D20000-0x0000000005D3E000-memory.dmpFilesize
120KB
-
memory/4500-37-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4500-58-0x0000000005820000-0x000000000582A000-memory.dmpFilesize
40KB
-
memory/4500-59-0x0000000005BF0000-0x0000000005BFC000-memory.dmpFilesize
48KB
-
memory/4500-61-0x0000000006950000-0x000000000695A000-memory.dmpFilesize
40KB
-
memory/4684-88-0x0000000007B50000-0x0000000007B5A000-memory.dmpFilesize
40KB
-
memory/4684-35-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/4684-82-0x0000000007910000-0x000000000792E000-memory.dmpFilesize
120KB
-
memory/4684-62-0x0000000007930000-0x0000000007962000-memory.dmpFilesize
200KB
-
memory/4684-92-0x0000000007D20000-0x0000000007D34000-memory.dmpFilesize
80KB
-
memory/4684-93-0x0000000007E20000-0x0000000007E3A000-memory.dmpFilesize
104KB
-
memory/4684-94-0x0000000007E00000-0x0000000007E08000-memory.dmpFilesize
32KB
-
memory/4684-21-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/4684-25-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB
-
memory/4684-63-0x0000000071100000-0x000000007114C000-memory.dmpFilesize
304KB
-
memory/4684-100-0x0000000074910000-0x00000000750C0000-memory.dmpFilesize
7.7MB