Overview

overview

10

Static

static

3

PW Loader.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PW Loader.zip

  • Size

    312KB

  • Sample

    250301-dggvgsyk16

  • MD5

    a9cbda7b860fc868aae1e969c3619bb1

  • SHA1

    95cf5de8332bfe1fee3402d484e2502a153a9c68

  • SHA256

    80c22a635c8c465742fe3062fc705710d561ef1decc7094f22adc041bb2f15ed

  • SHA512

    c7d8ff507a95ffbff6c9f7194c8f0636c9fd391c4aa5e4ae5f919861652dbc0c91d8a47c5444797edd8049f8ee387bbb45e355812a03fdc1675f71304b02540c

  • SSDEEP

    6144:0VkRP2RdNr0BgTC05uzP3z8QQUl2R++gClBVMgTSHjnE3dA84l9x:0VkRuR70yl03z8QQysBVMvY3dAfl9x

Score
10/10
nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      PW Loader.exe

    • Size

      354KB

    • MD5

      638ded3b1d340c2a35f1891759e11d3b

    • SHA1

      e290bb38e046a6d2ceef5632f1c1ab1fefde4d93

    • SHA256

      d46c7ba651d37e8e51e062320fa860fc7aa69b5ab142a91d614bf61a64b8f9eb

    • SHA512

      b8e61d0b992e887abc87f20b8ed7bff65801e9b9288a2ed296e4f4e2e3e1f0192c9b74a831a0d59814de222e73e358a14b2ae623ac5dd61d896b0445f7a21ab2

    • SSDEEP

      6144:/0XQ1m1ii5mwp+wR0O+VbL68KadaT6Cwfn/7NIY/Y+nNK2UX+8+Hxr:/0XQ1XQUweNbLBKa8T6CS/JaXJ+Hxr

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Nanocore family

      nanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks