Malware Analysis Report

2024-08-06 14:44

Sample ID 240617-lmssyavema
Target nano.exe
SHA256 b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c
Tags
nanocore evasion execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c

Threat Level: Known bad

The file nano.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 09:39

Reported

2024-06-17 09:41

Platform

win7-20240221-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nano.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2060 set thread context of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NAS Host\nashost.exe C:\Users\Admin\AppData\Local\Temp\nano.exe N/A
File opened for modification C:\Program Files (x86)\NAS Host\nashost.exe C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2060 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 2768 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\nano.exe

"C:\Users\Admin\AppData\Local\Temp\nano.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\nano.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EBC.tmp"

C:\Users\Admin\AppData\Local\Temp\nano.exe

"C:\Users\Admin\AppData\Local\Temp\nano.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp518A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp51E8.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
KE 105.163.157.192:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
KE 105.163.157.192:15170 2023endofyear.duckdns.org tcp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
KE 105.163.157.192:15170 2023endofyear.duckdns.org tcp

Files

memory/2060-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2060-1-0x0000000000950000-0x00000000009E8000-memory.dmp

memory/2060-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2060-3-0x0000000000330000-0x0000000000344000-memory.dmp

memory/2060-4-0x0000000000530000-0x0000000000538000-memory.dmp

memory/2060-5-0x0000000000580000-0x000000000058C000-memory.dmp

memory/2060-6-0x0000000002050000-0x00000000020CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4EBC.tmp

MD5 bea4e326d6dff14d735324d27e03956f
SHA1 c94861e7260f1b18d0a86742a3300f888224c4c4
SHA256 71c9a4181f05fc659666cafc040549140703a2cbe063dd70ee408eb41141421e
SHA512 1d8211e31bd90d55caf6674166b68b499a3f3e74e29b342472617a378fa99cff20c6063ef4358abdd5cdc12f6a7af375efb0297f150f02e5b79fa73cc877e315

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\APVH8Y30AL2POFPD1ZPU.temp

MD5 489175d72d90d28cf1919fdce53e24f8
SHA1 b70f9a2e18550fd9e0c6dc4ca5a45f483915f403
SHA256 0d2d8aea674cbcfbafbf207564520f19a3ca0ea9e3b5880ca7166c90bc2539a0
SHA512 b8028d57c98b854f87c669c5d3e935de5c2b1751022223c0c7538be057555218911e353837592fe1e779d77ecdeb4bbbbcd1878f5c66b8df098ed3a2e96ceb95

memory/2768-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2768-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2768-32-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2060-31-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2768-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2768-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2768-23-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2768-21-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2768-25-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp518A.tmp

MD5 082cbbf4722a31333759fefb09e31258
SHA1 baf14a5f6496b590dc89bd978b06acdfe66f4480
SHA256 6fc807dc7258be0c9a45ce66659d4893c3fbecf33d08c4a4452153ba64022f69
SHA512 e8576972437179a75afbe87d415d683ae8d80c33bab31626a93b481df87ad8207b87497360fd15986d94f6792b4aee50b9910fe41c4a799a64f54b575cccc6b5

C:\Users\Admin\AppData\Local\Temp\tmp51E8.tmp

MD5 9f554f602c22cfc20079e966d177fadb
SHA1 789baa3425849bf239e47c6bcf352e6693a8c337
SHA256 4c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1
SHA512 b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb

memory/2768-40-0x00000000004F0000-0x00000000004FA000-memory.dmp

memory/2768-41-0x0000000000540000-0x000000000054C000-memory.dmp

memory/2768-42-0x0000000000660000-0x000000000067E000-memory.dmp

memory/2768-43-0x0000000000680000-0x000000000068A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 09:39

Reported

2024-06-17 09:42

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nano.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe" C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1316 set thread context of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SCSI Host\scsihost.exe C:\Users\Admin\AppData\Local\Temp\nano.exe N/A
File opened for modification C:\Program Files (x86)\SCSI Host\scsihost.exe C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nano.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 1316 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 1316 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 1316 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 1316 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 1316 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 1316 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 1316 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 1316 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 1316 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 1316 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Users\Admin\AppData\Local\Temp\nano.exe
PID 4500 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\nano.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\nano.exe

"C:\Users\Admin\AppData\Local\Temp\nano.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\nano.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60CD.tmp"

C:\Users\Admin\AppData\Local\Temp\nano.exe

"C:\Users\Admin\AppData\Local\Temp\nano.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6542.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6746.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
KE 105.163.157.192:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
KE 105.163.157.192:15170 2023endofyear.duckdns.org tcp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

memory/1316-0-0x000000007491E000-0x000000007491F000-memory.dmp

memory/1316-1-0x00000000001C0000-0x0000000000258000-memory.dmp

memory/1316-2-0x0000000005180000-0x0000000005724000-memory.dmp

memory/1316-3-0x0000000004C70000-0x0000000004D02000-memory.dmp

memory/1316-4-0x0000000004E00000-0x0000000004E0A000-memory.dmp

memory/1316-5-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1316-6-0x0000000005140000-0x0000000005154000-memory.dmp

memory/1316-7-0x0000000005E30000-0x0000000005E38000-memory.dmp

memory/1316-8-0x0000000005E40000-0x0000000005E4C000-memory.dmp

memory/1316-9-0x0000000005EA0000-0x0000000005F1C000-memory.dmp

memory/1316-10-0x0000000008650000-0x00000000086EC000-memory.dmp

memory/3976-15-0x0000000002F00000-0x0000000002F36000-memory.dmp

memory/3976-16-0x0000000005AA0000-0x00000000060C8000-memory.dmp

memory/3976-17-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3976-18-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3976-19-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3976-23-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/4684-25-0x0000000074910000-0x00000000750C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp60CD.tmp

MD5 120d0406ea29f393fb1cef3adbc10d49
SHA1 3bf2a2173df54b09d73c3cf8a53f757a42a53ef4
SHA256 57a29b09617075415da12c2c58d9fd0b3f80e4f53523d6667cb818619dc69b75
SHA512 2fcc30c8fb629e12caad54e6315746463128bc7416f794c7349cc8fed06fe025296442f113926fa2e2fcc8da56dd55a8b79c642687193eb36d1ab9d9004c65c9

memory/4684-35-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3976-36-0x0000000006220000-0x0000000006574000-memory.dmp

memory/4500-37-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4c1p0gep.4ck.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3976-22-0x0000000006140000-0x00000000061A6000-memory.dmp

memory/4684-21-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3976-20-0x0000000005A50000-0x0000000005A72000-memory.dmp

memory/1316-48-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3976-49-0x0000000006800000-0x000000000681E000-memory.dmp

memory/3976-50-0x00000000068D0000-0x000000000691C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6542.tmp

MD5 082cbbf4722a31333759fefb09e31258
SHA1 baf14a5f6496b590dc89bd978b06acdfe66f4480
SHA256 6fc807dc7258be0c9a45ce66659d4893c3fbecf33d08c4a4452153ba64022f69
SHA512 e8576972437179a75afbe87d415d683ae8d80c33bab31626a93b481df87ad8207b87497360fd15986d94f6792b4aee50b9910fe41c4a799a64f54b575cccc6b5

C:\Users\Admin\AppData\Local\Temp\tmp6746.tmp

MD5 9a559f229be0944bc3dc813cde333f50
SHA1 0e97c97eea032b499ff060e799581e32beeceb09
SHA256 a63d853679aa655cced3b62a10855c56f9efd9b50770738b408d728008f73330
SHA512 4cbb2f77283500e86ecf79fd2cbd31d10c3af2fcf6c9a557ee0b1edead229dc07d63a5030b60df57458d52ef8c2a42ec199d2d4cdca387400d047df25b593c68

memory/4500-58-0x0000000005820000-0x000000000582A000-memory.dmp

memory/4500-61-0x0000000006950000-0x000000000695A000-memory.dmp

memory/4500-60-0x0000000005D20000-0x0000000005D3E000-memory.dmp

memory/4500-59-0x0000000005BF0000-0x0000000005BFC000-memory.dmp

memory/4684-62-0x0000000007930000-0x0000000007962000-memory.dmp

memory/4684-63-0x0000000071100000-0x000000007114C000-memory.dmp

memory/4684-82-0x0000000007910000-0x000000000792E000-memory.dmp

memory/3976-73-0x0000000071100000-0x000000007114C000-memory.dmp

memory/3976-84-0x0000000007A20000-0x0000000007AC3000-memory.dmp

memory/3976-85-0x00000000081A0000-0x000000000881A000-memory.dmp

memory/3976-86-0x0000000007B50000-0x0000000007B6A000-memory.dmp

memory/4684-88-0x0000000007B50000-0x0000000007B5A000-memory.dmp

memory/3976-87-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

memory/3976-89-0x0000000007DD0000-0x0000000007E66000-memory.dmp

memory/3976-90-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/3976-91-0x0000000007D80000-0x0000000007D8E000-memory.dmp

memory/4684-92-0x0000000007D20000-0x0000000007D34000-memory.dmp

memory/4684-93-0x0000000007E20000-0x0000000007E3A000-memory.dmp

memory/4684-94-0x0000000007E00000-0x0000000007E08000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 66e95f30cc9608c46fe29171aa344bed
SHA1 4e000a9e24d0ced076aea3620fe2553b421bb627
SHA256 935e37c3b4ea67e914e79c3bcd2b9d37168c85b592194ffa3f425fa861a688f8
SHA512 60af86a6218bd4596d822ea504d19e3256cbbc090af256a0e90796db296a36d56ba5a55036ba9e6b872664c4f82d7e4c8160b70cf138942344d78b131523cc0e

memory/3976-101-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/4684-100-0x0000000074910000-0x00000000750C0000-memory.dmp