General
-
Target
NanoCore.zip
-
Size
18.1MB
-
Sample
250213-dzgx7sslhm
-
MD5
91f4a9ef46bd12a099c59ed2b5a587f7
-
SHA1
6764d1e0b5e97279f94d558705089d29048a26ff
-
SHA256
fef7c5f3c06740cd4c3613a77acb03c0bfd60aaa4c27995f0ae9862c45ada8ba
-
SHA512
dca240c0aa7cb760cf3341cb46f3a5346934e96031fff724e1a95d4aeae6fc4f609dffb517dc9073549cf9d807867dbc94624c833126efe47e07a2490427391c
-
SSDEEP
393216:vfVFdRQrMvORPWz7z18JXUfXZRzX6Xwat7ojUhCRh4w2j0z7:XVF/dgPqzaJqN6XwuoIhwsG
Behavioral task
behavioral1
Sample
NanoCore/NanoCore 1.2.2.0.zip
Resource
win10ltsc2021-20250207-en
Malware Config
Extracted
nanocore
1.2.2.0
127.0.0.1:54984
0a58aef9-430a-40b3-bc54-321556a3f865
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-02-15T14:37:43.789028636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0a58aef9-430a-40b3-bc54-321556a3f865
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
NanoCore/NanoCore 1.2.2.0.zip
-
Size
6.5MB
-
MD5
0078c4384ce74786c3e14be22e7cabcf
-
SHA1
b4aeac27aead6f84db7eb3e21df998157fc6f000
-
SHA256
a1dee3f533679540bcaa5e4d5824aae9493d189d165d3e4643d236e6c1e0ef1a
-
SHA512
4dc4ee6650e02e3ad40b468ad965b6d74bca9525d787ec049fcd1ea924613f38ee1d8e32517e9c6bb06cfdaf1c87c56f27a027eca9d401d0ed50810b017cb6c2
-
SSDEEP
196608:8vG2XuOGidG8cTett6jAhktnrdKKLuez71:D2nTMT1gSQSbzZ
-
Nanocore family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1