Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
nano.exe
Resource
win7-20240221-en
General
-
Target
nano.exe
-
Size
585KB
-
MD5
41d27d71597c9d1163fb58a816223962
-
SHA1
2ae197a2724967fb0ae77ee0c20d95d354b9e5cb
-
SHA256
b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c
-
SHA512
555aa48eaa46f83933e34c6e8ecaf79c8f1756fb9de79181e4132bc2d02c5789abba90458ad347a374f34fc829f83b36d6666f64a657bf7e99ca5cb9aac2e1a0
-
SSDEEP
12288:2aYEnxStMSe+LQMNQ7ZQhIyOQSNSY2CNZ+TB29JvNgRh:J/nxSiSCMNQFwt3Jx8gB29Jv2
Malware Config
Extracted
nanocore
1.2.2.0
2023endofyear.duckdns.org:15170
127.0.0.1:15170
68e7ea47-3f3c-4af7-9707-6d09d0468009
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-12-29T09:19:37.611227236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
15170
-
default_group
GLOBAL
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68e7ea47-3f3c-4af7-9707-6d09d0468009
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
2023endofyear.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2108 powershell.exe 2644 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nano.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" nano.exe -
Processes:
nano.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nano.exedescription pid process target process PID 2060 set thread context of 2768 2060 nano.exe nano.exe -
Drops file in Program Files directory 2 IoCs
Processes:
nano.exedescription ioc process File created C:\Program Files (x86)\NAS Host\nashost.exe nano.exe File opened for modification C:\Program Files (x86)\NAS Host\nashost.exe nano.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2668 schtasks.exe 1800 schtasks.exe 2616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exenano.exepid process 2108 powershell.exe 2644 powershell.exe 2768 nano.exe 2768 nano.exe 2768 nano.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
nano.exepid process 2768 nano.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exenano.exedescription pid process Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2768 nano.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
nano.exenano.exedescription pid process target process PID 2060 wrote to memory of 2108 2060 nano.exe powershell.exe PID 2060 wrote to memory of 2108 2060 nano.exe powershell.exe PID 2060 wrote to memory of 2108 2060 nano.exe powershell.exe PID 2060 wrote to memory of 2108 2060 nano.exe powershell.exe PID 2060 wrote to memory of 2644 2060 nano.exe powershell.exe PID 2060 wrote to memory of 2644 2060 nano.exe powershell.exe PID 2060 wrote to memory of 2644 2060 nano.exe powershell.exe PID 2060 wrote to memory of 2644 2060 nano.exe powershell.exe PID 2060 wrote to memory of 2668 2060 nano.exe schtasks.exe PID 2060 wrote to memory of 2668 2060 nano.exe schtasks.exe PID 2060 wrote to memory of 2668 2060 nano.exe schtasks.exe PID 2060 wrote to memory of 2668 2060 nano.exe schtasks.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2060 wrote to memory of 2768 2060 nano.exe nano.exe PID 2768 wrote to memory of 1800 2768 nano.exe schtasks.exe PID 2768 wrote to memory of 1800 2768 nano.exe schtasks.exe PID 2768 wrote to memory of 1800 2768 nano.exe schtasks.exe PID 2768 wrote to memory of 1800 2768 nano.exe schtasks.exe PID 2768 wrote to memory of 2616 2768 nano.exe schtasks.exe PID 2768 wrote to memory of 2616 2768 nano.exe schtasks.exe PID 2768 wrote to memory of 2616 2768 nano.exe schtasks.exe PID 2768 wrote to memory of 2616 2768 nano.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nano.exe"C:\Users\Admin\AppData\Local\Temp\nano.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\nano.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EBC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\nano.exe"C:\Users\Admin\AppData\Local\Temp\nano.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp518A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp51E8.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4EBC.tmpFilesize
1KB
MD5bea4e326d6dff14d735324d27e03956f
SHA1c94861e7260f1b18d0a86742a3300f888224c4c4
SHA25671c9a4181f05fc659666cafc040549140703a2cbe063dd70ee408eb41141421e
SHA5121d8211e31bd90d55caf6674166b68b499a3f3e74e29b342472617a378fa99cff20c6063ef4358abdd5cdc12f6a7af375efb0297f150f02e5b79fa73cc877e315
-
C:\Users\Admin\AppData\Local\Temp\tmp518A.tmpFilesize
1KB
MD5082cbbf4722a31333759fefb09e31258
SHA1baf14a5f6496b590dc89bd978b06acdfe66f4480
SHA2566fc807dc7258be0c9a45ce66659d4893c3fbecf33d08c4a4452153ba64022f69
SHA512e8576972437179a75afbe87d415d683ae8d80c33bab31626a93b481df87ad8207b87497360fd15986d94f6792b4aee50b9910fe41c4a799a64f54b575cccc6b5
-
C:\Users\Admin\AppData\Local\Temp\tmp51E8.tmpFilesize
1KB
MD59f554f602c22cfc20079e966d177fadb
SHA1789baa3425849bf239e47c6bcf352e6693a8c337
SHA2564c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1
SHA512b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\APVH8Y30AL2POFPD1ZPU.tempFilesize
7KB
MD5489175d72d90d28cf1919fdce53e24f8
SHA1b70f9a2e18550fd9e0c6dc4ca5a45f483915f403
SHA2560d2d8aea674cbcfbafbf207564520f19a3ca0ea9e3b5880ca7166c90bc2539a0
SHA512b8028d57c98b854f87c669c5d3e935de5c2b1751022223c0c7538be057555218911e353837592fe1e779d77ecdeb4bbbbcd1878f5c66b8df098ed3a2e96ceb95
-
memory/2060-6-0x0000000002050000-0x00000000020CC000-memory.dmpFilesize
496KB
-
memory/2060-31-0x0000000074B10000-0x00000000751FE000-memory.dmpFilesize
6.9MB
-
memory/2060-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmpFilesize
4KB
-
memory/2060-4-0x0000000000530000-0x0000000000538000-memory.dmpFilesize
32KB
-
memory/2060-3-0x0000000000330000-0x0000000000344000-memory.dmpFilesize
80KB
-
memory/2060-1-0x0000000000950000-0x00000000009E8000-memory.dmpFilesize
608KB
-
memory/2060-2-0x0000000074B10000-0x00000000751FE000-memory.dmpFilesize
6.9MB
-
memory/2060-5-0x0000000000580000-0x000000000058C000-memory.dmpFilesize
48KB
-
memory/2768-29-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2768-32-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2768-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2768-23-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2768-21-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2768-25-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2768-28-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2768-19-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2768-40-0x00000000004F0000-0x00000000004FA000-memory.dmpFilesize
40KB
-
memory/2768-41-0x0000000000540000-0x000000000054C000-memory.dmpFilesize
48KB
-
memory/2768-42-0x0000000000660000-0x000000000067E000-memory.dmpFilesize
120KB
-
memory/2768-43-0x0000000000680000-0x000000000068A000-memory.dmpFilesize
40KB