nanocore | 35e9a600576c02110e577a51b41a0df596126ccd260c9aa2210e2390e99ff776

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 17:48

Target

TeamzPAZ/Fortnite Checker TeamzPAZ.exe
Size

203KB
MD5

e8b7db8bfcbb200e704b65126660c529
SHA1

c69450b1f8d5ccb1743570d7a8091530493fc36d
SHA256

24cf8b07f7694cbfc67e79dd18d6c1fab296eec76120e269f96202e43aa4340a
SHA512

c5913c6548e1c76518d379928d239af028d11ee419fd5af1ee9a596e4c0c32581c60228569d589c85e0c23de2c71b713ebf9f9c0f89c1520cc373bb538556973
SSDEEP

6144:sLV6Bta6dtJmakIM5kcGLYiO5C3e6s7338vSz:sLV6Btpmk1YiOS1k3Tz

Score

10^/10

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

Fortnite Checker TeamzPAZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	Fortnite Checker TeamzPAZ.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Fortnite Checker TeamzPAZ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fortnite Checker TeamzPAZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fortnite Checker TeamzPAZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	Fortnite Checker TeamzPAZ.exe
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	Fortnite Checker TeamzPAZ.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1028 schtasks.exe
2304 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

pid process

4512 Fortnite Checker TeamzPAZ.exe
4512 Fortnite Checker TeamzPAZ.exe
4512 Fortnite Checker TeamzPAZ.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

pid process

4512 Fortnite Checker TeamzPAZ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

description pid process

Token: SeDebugPrivilege 4512 Fortnite Checker TeamzPAZ.exe
Token: SeDebugPrivilege 4512 Fortnite Checker TeamzPAZ.exe

pid	process
1028	schtasks.exe
2304	schtasks.exe

pid	process
4512	Fortnite Checker TeamzPAZ.exe
4512	Fortnite Checker TeamzPAZ.exe
4512	Fortnite Checker TeamzPAZ.exe

pid	process
4512	Fortnite Checker TeamzPAZ.exe

description	pid	process
Token: SeDebugPrivilege	4512	Fortnite Checker TeamzPAZ.exe
Token: SeDebugPrivilege	4512	Fortnite Checker TeamzPAZ.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Fortnite Checker TeamzPAZ.exe

description	pid	process	target process
PID 4512 wrote to memory of 1028	4512	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 4512 wrote to memory of 1028	4512	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 4512 wrote to memory of 1028	4512	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 4512 wrote to memory of 2304	4512	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 4512 wrote to memory of 2304	4512	Fortnite Checker TeamzPAZ.exe	schtasks.exe
PID 4512 wrote to memory of 2304	4512	Fortnite Checker TeamzPAZ.exe	schtasks.exe

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5B3F.tmp"
2⤵
- Creates scheduled task(s)
PID:1028

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5BCD.tmp"
2⤵
- Creates scheduled task(s)
PID:2304

C:\Users\Admin\AppData\Local\Temp\tmp5B3F.tmp
Filesize
1KB

MD5
9b41f89f066c08039443859eab9b59dc

SHA1
2b136b1fa13669ff9c3500f9606c0cdac3c3491d

SHA256
8dded6ae15400906482f70c954d69b8fae3e5fa4ce2024159747293c7a370c42

SHA512
14bef00beb49bb6703275dcf1c856ee6f5f3ba474c3b51d1af7432a814c3d0cc8c409d6229e3e26aaa08532decf3ffeab9d27c620c76f51ccc8b42543536246b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5BCD.tmp
Filesize
1KB

MD5
2271642ca970891700e3f48439739ed8

SHA1
cd472df2349f7db9e1e460d0ee28acd97b8a8793

SHA256
7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68

SHA512
4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

Download Submit
memory/4512-0-0x0000000074822000-0x0000000074823000-memory.dmp

Filesize
4KB

Download
memory/4512-1-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-2-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-5-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-11-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-12-0x0000000074822000-0x0000000074823000-memory.dmp

Filesize
4KB

Download
memory/4512-13-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-14-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download