Overview

overview

10

Static

static

10

client.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    207s
  • max time network
    206s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-12-2024 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    203KB

  • MD5

    74f5229ec05fdb0e5150b41fddb4279a

  • SHA1

    441cde89f363f7712cec41360ffbeaa0f480875e

  • SHA256

    d27d22f8a8fe189418081c9c97f5ef90194d287c7e383642806ab915ace9b016

  • SHA512

    9e115b54468eed5781af82d14a6ba3d7f992d62174249f21403c25ba8263e8363151879a0ef5a91ba3e76f8af4e67e0b9c424d54ba7d740ad4cf4aef311392f9

  • SSDEEP

    3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIfKPAGTwjgaxODOeSQcY/UShKH:sLV6Bta6dtJmakIM5vr8PxtPY/1KH

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\client.exe
    "C:\Users\Admin\AppData\Local\Temp\client.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB2C5.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2704
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB324.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4260
    • C:\Windows\SysWOW64\Taskmgr.exe
      "C:\Windows\System32\Taskmgr.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5056
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /delete /f /tn "SCSI Subsystem"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1736
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /delete /f /tn "SCSI Subsystem Task"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4544
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /f /im "client.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\Admin\AppData\Local\Temp\client.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\client.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "client.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:908
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 -w 3000 1.1.1.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpB2C5.tmp
    Filesize

    1KB

    MD5

    4b25c43c4a8a3c8ce6ed59dd27a6d5da

    SHA1

    39a1059ae8a14458672fa20053b9214fb0faeba7

    SHA256

    5b4d4a864d877a082656f01ff8fa16ad6305e63d3c0e9df37035a13ffa07d285

    SHA512

    50ebc2b42c5d87b6be155f7c8e950e2826db5cab4b3c895c82c1b0964774c5708a14c33b36e6292e941b2f46092fac3f3adcf4c10f9ff54308b0f6d255331dcf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB324.tmp
    Filesize

    1KB

    MD5

    bd110f9fc6c1a842f1d9b269010b0611

    SHA1

    ef71c062902602faef9b66dcd1cfc9fe5baaf389

    SHA256

    8135c4e4eeaa741f752c0ab8f4ee33e3bb8a0cac5923812234f2e5177d50eb5b

    SHA512

    b8a7943a3126880b26407800bbdad5402c5b0e2aa106e7dbbb35d0cb145ca9de114401573a6aa66042a2e13674cfbcc2981d66b813f9b923fff5302210afba1f

    Download Submit

  • memory/2068-20-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-1-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-0-0x00000000746C1000-0x00000000746C2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2068-10-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-14-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-15-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-16-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-17-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-18-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-19-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-41-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2068-2-0x00000000746C0000-0x0000000074C71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5056-22-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-23-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-27-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-33-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-32-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-31-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-30-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-29-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-28-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-21-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download