Overview

overview

10

Static

static

10

test.exe

windows7-x64

10

test.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2022 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    210KB

  • MD5

    e6d22c879c7e87b2e6d356f43b6ac881

  • SHA1

    470d67e7392baefaffd165a242bd89de0ab17e64

  • SHA256

    f4312184c70e8c35f4bb4b412b3e6ce8be9fcfd9fae0bdca64af56ba817b413a

  • SHA512

    74b8ec5ceaa0cfea135da3368884fe80bbf66c602ebd624993148ad3c08ebebca82ed471df74a5accf4e501e6aee8e39d0a5b1591e3e67271c06b08bd36cc3b7

  • SSDEEP

    6144:gLV6Bta6dtJmakIM5cAC/XCGSE63wOoEB:gLV6BtpmkLAC/JS9gEB

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DOS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:5044
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DOS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp11E3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp
    Filesize

    1KB

    MD5

    daa959fa3888b5436fb93b6796bc803b

    SHA1

    43b8b749c623daede8374165806b8354655fa06c

    SHA256

    da87a4088b0f1dce79ca8128c8275cb6eaf527e571c68a6fb3a0b56576d38344

    SHA512

    aba76a0d311ad0466c64aac0d8f6ed483d2006dc0f14ac78af6af33b9db920a3735fa9478bb6fc5535f4b5eb9621479ec6f8172e05089c27872016ae08f896f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp11E3.tmp
    Filesize

    1KB

    MD5

    e380299eb53398115b7125b2b75c4798

    SHA1

    ee59b86ea0abf4097ff94bd940521c583803b036

    SHA256

    edb658b6577a80126eaacdf2a566755b63d7b2438fe0bcf3aea83930036811f3

    SHA512

    d9e3f3b1370fe4fce4a631a5d0669cef34bfe83dec146b606eff562c7cc450639304a732104f425a7ccfdded58064f28a98434a59ed8d93b595d64d1e1a2dde1

    Download Submit

  • memory/872-135-0x0000000000000000-mapping.dmp

    Download

  • memory/2936-132-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2936-137-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5044-133-0x0000000000000000-mapping.dmp

    Download