nanocore | 8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf

General

Target

20200630,pdf.exe
Size

309KB
MD5

ed370a632a9d033970d7707c9f80f355
SHA1

8cf0ce1460e29066fc816c9d5b03cd6134a8ec70
SHA256

8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf
SHA512

57c6ff34dd5adb20d9afa0c0684a91760830649aff811acd25e22409cbd1363562a96ecc202529dde0b5c54ff3a89d31c4c189fa8c173f2d188a200fe047a0aa

Score

10^/10

evasion trojan keylogger stealer spyware nanocore

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

billionaire.ddns.net:3734

Mutex

24d8b675-ce49-4a1b-a4a3-dc5d84e97d70

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-25T16:42:00.435974836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3734
default_group
Billion
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
24d8b675-ce49-4a1b-a4a3-dc5d84e97d70
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
billionaire.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Suspicious behavior: EnumeratesProcesses 10105 IoCs

Processes:

20200630,pdf.exe

pid	process
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe
1424	20200630,pdf.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1096 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

pid	process
1096	schtasks.exe

Suspicious use of WriteProcessMemory 179 IoCs

Processes:

20200630,pdf.exeRegAsm.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe

description	pid	process	target process
PID 1424 wrote to memory of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1424 wrote to memory of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1424 wrote to memory of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1424 wrote to memory of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1424 wrote to memory of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1424 wrote to memory of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1424 wrote to memory of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1424 wrote to memory of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1424 wrote to memory of 1036	1424	20200630,pdf.exe	20200630,pdf.exe
PID 1424 wrote to memory of 1036	1424	20200630,pdf.exe	20200630,pdf.exe
PID 1424 wrote to memory of 1036	1424	20200630,pdf.exe	20200630,pdf.exe
PID 1424 wrote to memory of 1036	1424	20200630,pdf.exe	20200630,pdf.exe
PID 828 wrote to memory of 1096	828	RegAsm.exe	schtasks.exe
PID 828 wrote to memory of 1096	828	RegAsm.exe	schtasks.exe
PID 828 wrote to memory of 1096	828	RegAsm.exe	schtasks.exe
PID 828 wrote to memory of 1096	828	RegAsm.exe	schtasks.exe
PID 1036 wrote to memory of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1036 wrote to memory of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1036 wrote to memory of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1036 wrote to memory of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1036 wrote to memory of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1036 wrote to memory of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1036 wrote to memory of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1036 wrote to memory of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1036 wrote to memory of 1764	1036	20200630,pdf.exe	20200630,pdf.exe
PID 1036 wrote to memory of 1764	1036	20200630,pdf.exe	20200630,pdf.exe
PID 1036 wrote to memory of 1764	1036	20200630,pdf.exe	20200630,pdf.exe
PID 1036 wrote to memory of 1764	1036	20200630,pdf.exe	20200630,pdf.exe
PID 1764 wrote to memory of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1764 wrote to memory of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1764 wrote to memory of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1764 wrote to memory of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1764 wrote to memory of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1764 wrote to memory of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1764 wrote to memory of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1764 wrote to memory of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1764 wrote to memory of 1920	1764	20200630,pdf.exe	20200630,pdf.exe
PID 1764 wrote to memory of 1920	1764	20200630,pdf.exe	20200630,pdf.exe
PID 1764 wrote to memory of 1920	1764	20200630,pdf.exe	20200630,pdf.exe
PID 1764 wrote to memory of 1920	1764	20200630,pdf.exe	20200630,pdf.exe
PID 1920 wrote to memory of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 1920 wrote to memory of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 1920 wrote to memory of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 1920 wrote to memory of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 1920 wrote to memory of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 1920 wrote to memory of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 1920 wrote to memory of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 1920 wrote to memory of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 1920 wrote to memory of 2024	1920	20200630,pdf.exe	20200630,pdf.exe
PID 1920 wrote to memory of 2024	1920	20200630,pdf.exe	20200630,pdf.exe
PID 1920 wrote to memory of 2024	1920	20200630,pdf.exe	20200630,pdf.exe
PID 1920 wrote to memory of 2024	1920	20200630,pdf.exe	20200630,pdf.exe
PID 2024 wrote to memory of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 272	2024	20200630,pdf.exe	20200630,pdf.exe
PID 2024 wrote to memory of 272	2024	20200630,pdf.exe	20200630,pdf.exe
PID 2024 wrote to memory of 272	2024	20200630,pdf.exe	20200630,pdf.exe
PID 2024 wrote to memory of 272	2024	20200630,pdf.exe	20200630,pdf.exe

Suspicious behavior: MapViewOfSection 15 IoCs

Processes:

20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe

pid	process
1424	20200630,pdf.exe
1036	20200630,pdf.exe
1764	20200630,pdf.exe
1920	20200630,pdf.exe
2024	20200630,pdf.exe
272	20200630,pdf.exe
1632	20200630,pdf.exe
1908	20200630,pdf.exe
1060	20200630,pdf.exe
1268	20200630,pdf.exe
1436	20200630,pdf.exe
1812	20200630,pdf.exe
832	20200630,pdf.exe
832	20200630,pdf.exe
1880	20200630,pdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

828 RegAsm.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

pid	process
828	RegAsm.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe

description	pid	process	target process
PID 1424 set thread context of 828	1424	20200630,pdf.exe	RegAsm.exe
PID 1036 set thread context of 1800	1036	20200630,pdf.exe	RegAsm.exe
PID 1764 set thread context of 1600	1764	20200630,pdf.exe	RegAsm.exe
PID 1920 set thread context of 1900	1920	20200630,pdf.exe	RegAsm.exe
PID 2024 set thread context of 1860	2024	20200630,pdf.exe	RegAsm.exe
PID 272 set thread context of 1812	272	20200630,pdf.exe	RegAsm.exe
PID 1632 set thread context of 1824	1632	20200630,pdf.exe	RegAsm.exe
PID 1908 set thread context of 1876	1908	20200630,pdf.exe	RegAsm.exe
PID 1060 set thread context of 1732	1060	20200630,pdf.exe	RegAsm.exe
PID 1268 set thread context of 1944	1268	20200630,pdf.exe	RegAsm.exe
PID 1436 set thread context of 1528	1436	20200630,pdf.exe	RegAsm.exe
PID 1812 set thread context of 632	1812	20200630,pdf.exe	RegAsm.exe
PID 832 set thread context of 1888	832	20200630,pdf.exe	RegAsm.exe
PID 1880 set thread context of 316	1880	20200630,pdf.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

20200630,pdf.exeRegAsm.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe20200630,pdf.exe

description	pid	process
Token: SeDebugPrivilege	1424	20200630,pdf.exe
Token: SeDebugPrivilege	828	RegAsm.exe
Token: SeDebugPrivilege	1036	20200630,pdf.exe
Token: SeDebugPrivilege	1764	20200630,pdf.exe
Token: SeDebugPrivilege	1920	20200630,pdf.exe
Token: SeDebugPrivilege	2024	20200630,pdf.exe
Token: SeDebugPrivilege	272	20200630,pdf.exe
Token: SeDebugPrivilege	1632	20200630,pdf.exe
Token: SeDebugPrivilege	1908	20200630,pdf.exe
Token: SeDebugPrivilege	1060	20200630,pdf.exe
Token: SeDebugPrivilege	1268	20200630,pdf.exe
Token: SeDebugPrivilege	1436	20200630,pdf.exe
Token: SeDebugPrivilege	1812	20200630,pdf.exe
Token: SeDebugPrivilege	832	20200630,pdf.exe
Token: SeDebugPrivilege	1880	20200630,pdf.exe

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3477.tmp"
3⤵
- Creates scheduled task(s)
PID:1096

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\20200630,pdf.exe"
15⤵
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3477.tmp

Download Submit
memory/272-26-0x0000000000000000-mapping.dmp

Download
memory/316-68-0x000000000041E792-mapping.dmp

Download
memory/632-58-0x000000000041E792-mapping.dmp

Download
memory/828-1-0x000000000041E792-mapping.dmp

Download
memory/828-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/828-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/828-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/832-61-0x0000000000000000-mapping.dmp

Download
memory/1036-4-0x0000000000000000-mapping.dmp

Download
memory/1060-41-0x0000000000000000-mapping.dmp

Download
memory/1096-5-0x0000000000000000-mapping.dmp

Download
memory/1268-46-0x0000000000000000-mapping.dmp

Download
memory/1436-51-0x0000000000000000-mapping.dmp

Download
memory/1528-53-0x000000000041E792-mapping.dmp

Download
memory/1600-13-0x000000000041E792-mapping.dmp

Download
memory/1632-31-0x0000000000000000-mapping.dmp

Download
memory/1732-43-0x000000000041E792-mapping.dmp

Download
memory/1764-11-0x0000000000000000-mapping.dmp

Download
memory/1800-8-0x000000000041E792-mapping.dmp

Download
memory/1812-28-0x000000000041E792-mapping.dmp

Download
memory/1812-56-0x0000000000000000-mapping.dmp

Download
memory/1824-33-0x000000000041E792-mapping.dmp

Download
memory/1860-71-0x0000000000000000-mapping.dmp

Download
memory/1860-23-0x000000000041E792-mapping.dmp

Download
memory/1876-38-0x000000000041E792-mapping.dmp

Download
memory/1880-66-0x0000000000000000-mapping.dmp

Download
memory/1888-63-0x000000000041E792-mapping.dmp

Download
memory/1900-18-0x000000000041E792-mapping.dmp

Download
memory/1908-36-0x0000000000000000-mapping.dmp

Download
memory/1920-16-0x0000000000000000-mapping.dmp

Download
memory/1944-48-0x000000000041E792-mapping.dmp

Download
memory/2024-21-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads