nanocore | f3238d349b2650f8e0446a2f73ef3d3fefec5d40268ebdf7eb42bc2ac8adec9e

General

Target

F2JC6A4V49B7.js
Size

81KB
MD5

e9e4fc8abb66f8c5fcf22de751661a85
SHA1

0473d2d0d1049d350c0c4bf7d14abad002425106
SHA256

f3238d349b2650f8e0446a2f73ef3d3fefec5d40268ebdf7eb42bc2ac8adec9e
SHA512

0d5253b9892eaa58c0622712978e9fee38e2e38ab6756b63936b6878fc7b65439e6567a65b2fdb39baff4b1e22bb81afba1344396e66f155bacded0c12bc5334

Score

10^/10

nanocore vjw0rm evasion keylogger persistence spyware stealer trojan worm

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

fridayac.duckdns.org:8090

Mutex

6c5167df-4717-4e82-ab70-3a201017d990

Attributes

activate_away_mode
true
backup_connection_host
fridayac.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-20T18:05:52.679087536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8090
default_group
FRIDAY AC
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6c5167df-4717-4e82-ab70-3a201017d990
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fridayac.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

vjw0rm

C2

http://6800js.duckdns.org:6800

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 7 IoCs

Processes:

wscript.exe

flow pid process

9 3940 wscript.exe
23 3940 wscript.exe
24 3940 wscript.exe
26 3940 wscript.exe
28 3940 wscript.exe
43 3940 wscript.exe
44 3940 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

k5ndpax.exe5HM26UANCR.execusuhzm.exe

pid process

1420 k5ndpax.exe
2320 5HM26UANCR.exe
2956 cusuhzm.exe

flow	pid	process
9	3940	wscript.exe
23	3940	wscript.exe
24	3940	wscript.exe
26	3940	wscript.exe
28	3940	wscript.exe
43	3940	wscript.exe
44	3940	wscript.exe

pid	process
1420	k5ndpax.exe
2320	5HM26UANCR.exe
2956	cusuhzm.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2JC6A4V49B7.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2JC6A4V49B7.js	wscript.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cusuhzm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	cusuhzm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	cusuhzm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\aero\Shell\\svchost.exe = "0"	cusuhzm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe = "0"	cusuhzm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYK43BSFUJ = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\F2JC6A4V49B7.js'"	wscript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

cusuhzm.exe

pid	process
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe
2956	cusuhzm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cusuhzm.exe

description pid process target process

PID 2956 set thread context of 1236 2956 cusuhzm.exe cusuhzm.exe

description	pid	process	target process
PID 2956 set thread context of 1236	2956	cusuhzm.exe	cusuhzm.exe

Drops file in Windows directory 2 IoCs

Processes:

cusuhzm.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\aero\Shell\\svchost.exe	cusuhzm.exe
File opened for modification	C:\Windows\Resources\Themes\aero\Shell\\svchost.exe	cusuhzm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

960 1420 WerFault.exe k5ndpax.exe
1636 2320 WerFault.exe 5HM26UANCR.exe
4028 2956 WerFault.exe cusuhzm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

504 schtasks.exe

pid	pid_target	process	target process
960	1420	WerFault.exe	k5ndpax.exe
1636	2320	WerFault.exe	5HM26UANCR.exe
4028	2956	WerFault.exe	cusuhzm.exe

pid	process
504	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f630400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

WerFault.exeWerFault.execusuhzm.exepowershell.exepowershell.exe

pid	process
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
2956	cusuhzm.exe
3952	powershell.exe
3304	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WerFault.exeWerFault.execusuhzm.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	960	WerFault.exe
Token: SeBackupPrivilege	960	WerFault.exe
Token: SeDebugPrivilege	960	WerFault.exe
Token: SeDebugPrivilege	1636	WerFault.exe
Token: SeDebugPrivilege	2956	cusuhzm.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

wscript.execusuhzm.exe

description	pid	process	target process
PID 3940 wrote to memory of 504	3940	wscript.exe	schtasks.exe
PID 3940 wrote to memory of 504	3940	wscript.exe	schtasks.exe
PID 3940 wrote to memory of 1420	3940	wscript.exe	k5ndpax.exe
PID 3940 wrote to memory of 1420	3940	wscript.exe	k5ndpax.exe
PID 3940 wrote to memory of 1420	3940	wscript.exe	k5ndpax.exe
PID 3940 wrote to memory of 2320	3940	wscript.exe	5HM26UANCR.exe
PID 3940 wrote to memory of 2320	3940	wscript.exe	5HM26UANCR.exe
PID 3940 wrote to memory of 2320	3940	wscript.exe	5HM26UANCR.exe
PID 3940 wrote to memory of 2956	3940	wscript.exe	cusuhzm.exe
PID 3940 wrote to memory of 2956	3940	wscript.exe	cusuhzm.exe
PID 3940 wrote to memory of 2956	3940	wscript.exe	cusuhzm.exe
PID 2956 wrote to memory of 3952	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 3952	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 3952	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 3304	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 3304	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 3304	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 2396	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 2396	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 2396	2956	cusuhzm.exe	powershell.exe
PID 2956 wrote to memory of 1236	2956	cusuhzm.exe	cusuhzm.exe
PID 2956 wrote to memory of 1236	2956	cusuhzm.exe	cusuhzm.exe
PID 2956 wrote to memory of 1236	2956	cusuhzm.exe	cusuhzm.exe
PID 2956 wrote to memory of 1236	2956	cusuhzm.exe	cusuhzm.exe
PID 2956 wrote to memory of 1236	2956	cusuhzm.exe	cusuhzm.exe
PID 2956 wrote to memory of 1236	2956	cusuhzm.exe	cusuhzm.exe
PID 2956 wrote to memory of 1236	2956	cusuhzm.exe	cusuhzm.exe
PID 2956 wrote to memory of 1236	2956	cusuhzm.exe	cusuhzm.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\F2JC6A4V49B7.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\F2JC6A4V49B7.js
2⤵
- Creates scheduled task(s)
PID:504

C:\Users\Admin\AppData\Local\Temp\k5ndpax.exe
"C:\Users\Admin\AppData\Local\Temp\k5ndpax.exe"
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 740
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\5HM26UANCR.exe
"C:\Users\Admin\AppData\Local\Temp\5HM26UANCR.exe"
2⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 740
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe
"C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\\svchost.exe" -Force
3⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe
"C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe"
3⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 2272
3⤵
- Program crash
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

4

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
636168e2a7d7f654239d2c9b903b5eab

SHA1
765bf615bc8c42ef026466292c1825411a112514

SHA256
61bb5285845ee506ee7cda0fbebc3d2c20030ca18a7a14900969f1eb00aa83e7

SHA512
da1da65a3f0906da80c9de84f1d09fd94ecea2394cd740ed0814ad15e4441c54b5b9528afdbe5b37e04935b21ccc0bdea0a99b8da7cef3ce3475d24c56a3a52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HM26UANCR.exe
MD5
6b6704871ba95fc83795b45a0352fc98

SHA1
86a43525ad4dbfb7e5df50e21ef5cd517e216ccb

SHA256
2a6e497ab22ec6831c5959944130ef83233e2498298579c0e6ae5ab6f179e6c9

SHA512
756f6fc5b2ae7f5504f48e1303daa3d4c1091d05ffb5453667c5062c022815a5f11f0b6596b62750c70e21f62c6e43000f2e1163cf1acb3799f4040700086901

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HM26UANCR.exe
MD5
6b6704871ba95fc83795b45a0352fc98

SHA1
86a43525ad4dbfb7e5df50e21ef5cd517e216ccb

SHA256
2a6e497ab22ec6831c5959944130ef83233e2498298579c0e6ae5ab6f179e6c9

SHA512
756f6fc5b2ae7f5504f48e1303daa3d4c1091d05ffb5453667c5062c022815a5f11f0b6596b62750c70e21f62c6e43000f2e1163cf1acb3799f4040700086901

Download Submit
C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe
MD5
dba77d2aef754d4a6fb3658ac9513fcb

SHA1
160fb43e9e56ec42adba4c929d57e7df201310ee

SHA256
a8846eb9387acbf47fb91823d88b5d6ce0094d5748f97d5ae1d880c45d284173

SHA512
8cfb40bcdab72dd29395c32da4634d925285ef9c0e3c6cb13fd1219bf0c88e2c5a2b2223f8a4dd176260e458313f3e4480f5b60accbd26cc8439cb5bcb49a2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe
MD5
dba77d2aef754d4a6fb3658ac9513fcb

SHA1
160fb43e9e56ec42adba4c929d57e7df201310ee

SHA256
a8846eb9387acbf47fb91823d88b5d6ce0094d5748f97d5ae1d880c45d284173

SHA512
8cfb40bcdab72dd29395c32da4634d925285ef9c0e3c6cb13fd1219bf0c88e2c5a2b2223f8a4dd176260e458313f3e4480f5b60accbd26cc8439cb5bcb49a2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cusuhzm.exe
MD5
dba77d2aef754d4a6fb3658ac9513fcb

SHA1
160fb43e9e56ec42adba4c929d57e7df201310ee

SHA256
a8846eb9387acbf47fb91823d88b5d6ce0094d5748f97d5ae1d880c45d284173

SHA512
8cfb40bcdab72dd29395c32da4634d925285ef9c0e3c6cb13fd1219bf0c88e2c5a2b2223f8a4dd176260e458313f3e4480f5b60accbd26cc8439cb5bcb49a2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5ndpax.exe
MD5
6b6704871ba95fc83795b45a0352fc98

SHA1
86a43525ad4dbfb7e5df50e21ef5cd517e216ccb

SHA256
2a6e497ab22ec6831c5959944130ef83233e2498298579c0e6ae5ab6f179e6c9

SHA512
756f6fc5b2ae7f5504f48e1303daa3d4c1091d05ffb5453667c5062c022815a5f11f0b6596b62750c70e21f62c6e43000f2e1163cf1acb3799f4040700086901

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5ndpax.exe
MD5
6b6704871ba95fc83795b45a0352fc98

SHA1
86a43525ad4dbfb7e5df50e21ef5cd517e216ccb

SHA256
2a6e497ab22ec6831c5959944130ef83233e2498298579c0e6ae5ab6f179e6c9

SHA512
756f6fc5b2ae7f5504f48e1303daa3d4c1091d05ffb5453667c5062c022815a5f11f0b6596b62750c70e21f62c6e43000f2e1163cf1acb3799f4040700086901

Download Submit
memory/504-115-0x0000000000000000-mapping.dmp

Download
memory/1236-199-0x00000000067C0000-0x00000000067D5000-memory.dmp

Filesize
84KB

Download
memory/1236-179-0x00000000055D0000-0x00000000055D5000-memory.dmp

Filesize
20KB

Download
memory/1236-154-0x000000000041E792-mapping.dmp

Download
memory/1236-180-0x00000000055E0000-0x00000000055F9000-memory.dmp

Filesize
100KB

Download
memory/1236-201-0x0000000006800000-0x0000000006806000-memory.dmp

Filesize
24KB

Download
memory/1236-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1236-181-0x0000000005F50000-0x0000000005F53000-memory.dmp

Filesize
12KB

Download
memory/1236-198-0x00000000067B0000-0x00000000067BD000-memory.dmp

Filesize
52KB

Download
memory/1236-186-0x0000000005200000-0x00000000056FE000-memory.dmp

Filesize
5.0MB

Download
memory/1420-119-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1420-116-0x0000000000000000-mapping.dmp

Download
memory/2320-121-0x0000000000000000-mapping.dmp

Download
memory/2396-137-0x0000000000000000-mapping.dmp

Download
memory/2396-196-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/2396-257-0x000000007FB40000-0x000000007FB41000-memory.dmp

Filesize
4KB

Download
memory/2396-168-0x0000000006620000-0x0000000006621000-memory.dmp

Filesize
4KB

Download
memory/2396-172-0x0000000006622000-0x0000000006623000-memory.dmp

Filesize
4KB

Download
memory/2396-147-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/2396-148-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/2396-311-0x0000000006623000-0x0000000006624000-memory.dmp

Filesize
4KB

Download
memory/2956-134-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/2956-131-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2956-145-0x0000000008630000-0x0000000008631000-memory.dmp

Filesize
4KB

Download
memory/2956-126-0x0000000000000000-mapping.dmp

Download
memory/2956-129-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2956-133-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/2956-132-0x0000000005170000-0x00000000051FB000-memory.dmp

Filesize
556KB

Download
memory/2956-150-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/3304-164-0x00000000068B2000-0x00000000068B3000-memory.dmp

Filesize
4KB

Download
memory/3304-193-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3304-253-0x000000007F3B0000-0x000000007F3B1000-memory.dmp

Filesize
4KB

Download
memory/3304-143-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3304-142-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3304-307-0x00000000068B3000-0x00000000068B4000-memory.dmp

Filesize
4KB

Download
memory/3304-161-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/3304-136-0x0000000000000000-mapping.dmp

Download
memory/3952-159-0x0000000007112000-0x0000000007113000-memory.dmp

Filesize
4KB

Download
memory/3952-141-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/3952-138-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3952-187-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/3952-182-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/3952-192-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3952-139-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3952-135-0x0000000000000000-mapping.dmp

Download
memory/3952-140-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3952-183-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/3952-169-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3952-255-0x000000007E9A0000-0x000000007E9A1000-memory.dmp

Filesize
4KB

Download
memory/3952-165-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3952-304-0x0000000007113000-0x0000000007114000-memory.dmp

Filesize
4KB

Download
memory/3952-163-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/3952-153-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3952-157-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads