nanocore | 35e9a600576c02110e577a51b41a0df596126ccd260c9aa2210e2390e99ff776

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 17:48

Target

TeamzPAZ/Fortnite Checker TeamzPAZ.exe
Size

203KB
MD5

e8b7db8bfcbb200e704b65126660c529
SHA1

c69450b1f8d5ccb1743570d7a8091530493fc36d
SHA256

24cf8b07f7694cbfc67e79dd18d6c1fab296eec76120e269f96202e43aa4340a
SHA512

c5913c6548e1c76518d379928d239af028d11ee419fd5af1ee9a596e4c0c32581c60228569d589c85e0c23de2c71b713ebf9f9c0f89c1520cc373bb538556973
SSDEEP

6144:sLV6Bta6dtJmakIM5kcGLYiO5C3e6s7338vSz:sLV6Btpmk1YiOS1k3Tz

Score

10^/10

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

Fortnite Checker TeamzPAZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe"	Fortnite Checker TeamzPAZ.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Fortnite Checker TeamzPAZ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fortnite Checker TeamzPAZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fortnite Checker TeamzPAZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Host\isshost.exe	Fortnite Checker TeamzPAZ.exe
File opened for modification	C:\Program Files (x86)\ISS Host\isshost.exe	Fortnite Checker TeamzPAZ.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2044 schtasks.exe
1260 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

pid process

2384 Fortnite Checker TeamzPAZ.exe
2384 Fortnite Checker TeamzPAZ.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

pid process

2384 Fortnite Checker TeamzPAZ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

description pid process

Token: SeDebugPrivilege 2384 Fortnite Checker TeamzPAZ.exe
Token: SeDebugPrivilege 2384 Fortnite Checker TeamzPAZ.exe

pid	process
2044	schtasks.exe
1260	schtasks.exe

pid	process
2384	Fortnite Checker TeamzPAZ.exe
2384	Fortnite Checker TeamzPAZ.exe

pid	process
2384	Fortnite Checker TeamzPAZ.exe

description	pid	process
Token: SeDebugPrivilege	2384	Fortnite Checker TeamzPAZ.exe
Token: SeDebugPrivilege	2384	Fortnite Checker TeamzPAZ.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

description	pid	process	target process
PID 2384 wrote to memory of 2044	2384	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 2384 wrote to memory of 2044	2384	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 2384 wrote to memory of 2044	2384	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 2384 wrote to memory of 2044	2384	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 2384 wrote to memory of 1260	2384	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 2384 wrote to memory of 1260	2384	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 2384 wrote to memory of 1260	2384	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 2384 wrote to memory of 1260	2384	Fortnite Checker TeamzPAZ.exe	schtasks.exe

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFD9.tmp"
2⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1066.tmp"
2⤵
- Creates scheduled task(s)
PID:1260

C:\Users\Admin\AppData\Local\Temp\tmp1066.tmp
Filesize
1KB

MD5
3d1580c0395f6de62659467f5b7f1acf

SHA1
8e73a3885896cecca7ff799a272fc9ddfe06ea96

SHA256
6f40196c42a171f24a3e16edeca664cdc5a2f7c150d468255b0e14ab10a2b714

SHA512
7637c0d9b03227dffcb00a68d97ddce60bfc40ca0f8a7a4bbd700ea56be6d570908511dea5cab9f609a7da2e558e5298c482fd1e330af085f9c52867d5a847ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD9.tmp
Filesize
1KB

MD5
9b41f89f066c08039443859eab9b59dc

SHA1
2b136b1fa13669ff9c3500f9606c0cdac3c3491d

SHA256
8dded6ae15400906482f70c954d69b8fae3e5fa4ce2024159747293c7a370c42

SHA512
14bef00beb49bb6703275dcf1c856ee6f5f3ba474c3b51d1af7432a814c3d0cc8c409d6229e3e26aaa08532decf3ffeab9d27c620c76f51ccc8b42543536246b

Download Submit
memory/2384-0-0x0000000074471000-0x0000000074472000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-2-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-10-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download