Analysis

  • max time kernel
    53s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2022 20:03

General

  • Target

    tmp.exe

  • Size

    202KB

  • MD5

    4cedeb7f2bbb865949fac916f31ff5c6

  • SHA1

    23f459e090f237b419b33b331818b17ab805f768

  • SHA256

    37df56b4f26fcb210022abed5de5698854b8d0504c6305422ee2730ee06ead15

  • SHA512

    c38c1f6b0c43b0546917fb5e3a60f922798120d9f870f5c9920ac199907663968a201c5ad0ed80b9621cd4d37d8e7b1d5dac7c76ee09000b78bb658ea86b7809

  • SSDEEP

    3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI4jT9cx77B7aqetQ0XdeMBma1K:wLV6Bta6dtJmakIM5ox79PEQ8QVP3

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    PID:4588

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • memory/4588-132-0x0000000075360000-0x0000000075911000-memory.dmp
                        • memory/4588-133-0x0000000075360000-0x0000000075911000-memory.dmp