Overview

overview

10

Static

static

10

test.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    289s
  • max time network
    293s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    14-02-2025 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    202KB

  • MD5

    c1beb7a79c6268028a5e54bbb40421c9

  • SHA1

    4521454c5ade866704417c63cca5857b97849c37

  • SHA256

    873c4fcc6dcd4c50dddc6fc333bc9dc298264a04756e7b907863f14d58d40a17

  • SHA512

    58aec9ff41ff95c57d18eb06b8733ad323651a6e42533d7577323264f646c68246fad6efb17d30c0288c438648b0a71819f4aa05704883b45f7316370f2d1c8e

  • SSDEEP

    3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI7czhzRWEV9UWlv38SAt:gLV6Bta6dtJmakIM53FAyUWlv3PAt

Score
10/10
nanocoredefense_evasiondiscoverykeyloggerspywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Downloads MZ/PE file 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windows\SysWOW64\explorer.exe
        explorer
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1144
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzM1RTQ0OEMtNzQxMC00MzU0LUFFNkYtMjk1MUNCODY4QkZCfSIgdXNlcmlkPSJ7ODQwRUVEMjktQjE0My00QkMxLTkzQkEtOUUzMkFCNTBCMkRBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjZDRDYwOUQtNUI0RC00MjA2LUEzNEMtMDM0QjAwRUVGRkY1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwMTc2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NzIxMjIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE1ODA2MzU3NiIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2928
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:3084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3404-0-0x0000000073C72000-0x0000000073C73000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3404-1-0x0000000073C70000-0x0000000074221000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3404-2-0x0000000073C70000-0x0000000074221000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3404-4-0x0000000073C70000-0x0000000074221000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3404-6-0x0000000073C72000-0x0000000073C73000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3404-7-0x0000000073C70000-0x0000000074221000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3404-8-0x0000000073C70000-0x0000000074221000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3404-9-0x0000000073C70000-0x0000000074221000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3404-14-0x0000000073C70000-0x0000000074221000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3404-15-0x0000000073C70000-0x0000000074221000-memory.dmp

      Filesize

      5.7MB

      Download