Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2022 19:31

General

  • Target

    4c7c0f5f613c66060cf3e490aca57c39.exe

  • Size

    203KB

  • MD5

    4c7c0f5f613c66060cf3e490aca57c39

  • SHA1

    cb79286c9ab591f426935c6cda60728985268b5d

  • SHA256

    88ca9076cf95fda93c3ccc3d2dff800859ee13cae7043209a483b47812963b2b

  • SHA512

    b056e8046cfa5bbc19cca73c7781daaf2303476b13729035bb814901b8b566ee32b5a6fdf62ce6dde19fa12fbcf220b3a38be233ed60d872a41fd994e8146d33

  • SSDEEP

    3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIYRcungwenxmj35QX3Lqs2j3Go:MLV6Bta6dtJmakIM5TcxA5QHLqxio

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c7c0f5f613c66060cf3e490aca57c39.exe
    "C:\Users\Admin\AppData\Local\Temp\4c7c0f5f613c66060cf3e490aca57c39.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFEE9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:880
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp10C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1052

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp10C.tmp

    Filesize

    1KB

    MD5

    981e126601526eaa5b0ad45c496c4465

    SHA1

    d610d6a21a8420cc73fcd3e54ddae75a5897b28b

    SHA256

    11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527

    SHA512

    a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

  • C:\Users\Admin\AppData\Local\Temp\tmpFEE9.tmp

    Filesize

    1KB

    MD5

    b251b92dd22966c7b58160514ac81dfd

    SHA1

    c1a1c3a06ef0dc3f323d62120b9844be609f4ac6

    SHA256

    2819149b5b5c963b834473bf8ed8ed107506fddc36b76626ff0c710cd7180a4e

    SHA512

    e3e47c7ca69c76102e364742a6b0d02fc2e13bb33e21333f23a739df5f7438821fea326c31ec6fe53735d99457d0b5d4c972c2cff9e2a3b69ed542a961750b3b

  • memory/880-55-0x0000000000000000-mapping.dmp

  • memory/1052-57-0x0000000000000000-mapping.dmp

  • memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

    Filesize

    8KB

  • memory/1668-58-0x0000000073F70000-0x000000007451B000-memory.dmp

    Filesize

    5.7MB

  • memory/1668-60-0x0000000073F70000-0x000000007451B000-memory.dmp

    Filesize

    5.7MB