nanocore | 5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4

General

Target

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
Size

309KB
MD5

3e84ff0190e4ebfb051448fde035364e
SHA1

7efd883c4fcc49df5615658605d09d57e427dbc6
SHA256

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4
SHA512

c872e2af779db49352eb916321290f13fad7cf6acee518057009032cceea3b42b975566079560309c6df707d84a3abb5071d8bec52ad06cf60ea5807a1dd5cbf
SSDEEP

6144:5K9eooDK1zJmZNUrz21pQotrLHeHbxG/GWvmm8NErGQiVSHTXiPBKq4U:MoDIe63EphFyHFiGWvmmYyYgUn5

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

C2

tadas123.mooo.com:59786

ktmpss.mooo.com:59786

Mutex

fbd611ba-8508-451c-8f11-45e28ff8e35e

Attributes

activate_away_mode
true
backup_connection_host
ktmpss.mooo.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2015-04-14T14:04:43.383753236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
59786
default_group
CsGo Botai 0307
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
fbd611ba-8508-451c-8f11-45e28ff8e35e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
tadas123.mooo.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.2
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstsc = "C:\\Users\\Admin\\Documents\\mstsc\\mstsc.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

description	pid	process	target process
PID 2032 set thread context of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 set thread context of 1296	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 set thread context of 1816	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 set thread context of 2100	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 set thread context of 2348	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 set thread context of 2460	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 set thread context of 2652	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000a820b6233f0c0b5b0dcaddce2add74f9d511a5ce92bdb5014cf8d08cecbccf79000000000e8000000002000020000000bfc8be433ef73d47f49da36da67c83b8cae5e686a2d3c6c721d3d9c53f7890db20000000b80234e32eb7556b8ebcb930ebc27673b4b10dc6b67fcdf2be1cda86684488c34000000086e9bee3150c5e936ecf9647b72c1d09de99c75f44a9c9aaeb9b80da3b10b88d79c181ea19d31f5531f2e9d7b7f562e0408ef7d67e3b20cd7bc0646231cf0f12	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402f128e4adfd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B3B0D441-4B3D-11ED-A20B-4279513DF160} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000001d24ae92267d4b5afb7facea0f56ddf2b0f9192f347688ce1bb03f8df698ad03000000000e8000000002000020000000e5a0d0edbdc519e878d6eeaf92bb2385e632de953515d3e5d0f19f120699439c900000005d22bc741e95f9cd832bd0cd9637eb70814afeaef4b8b8f13338e4a3f867027f357957abae743404d7fb8864c39f6785b1547f870612b40fd596ec3a403737ad54963d3623d64837efd4fcdad2b6036a378c2b959d924a8485cd811be4b8c0b82cb51090965478d188afe25b8e78dda1aa262e6e8ed7e789715cd394c52f8485e0a6392eb1792ad451a4d42c747c9d5240000000e92503fd3b5e3a7ff31656f9063a0c92031401fe7f1a05f84aba0dc1565134a062d3ed6894575a53f8e50979ec58d1b79613bd7a43588bcb7646c08402912798	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372461365"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
1664	ping.exe
1996	ping.exe
1660	ping.exe
456	ping.exe
1992	ping.exe
568	ping.exe
1592	ping.exe
1192	ping.exe
1692	ping.exe
1648	ping.exe
1276	ping.exe
1604	ping.exe
1548	ping.exe
304	ping.exe
904	ping.exe
584	ping.exe
1316	ping.exe
1380	ping.exe
816	ping.exe
1952	ping.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exeiexplore.exe

pid	process
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
1980	iexplore.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
1980	iexplore.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

description pid process

Token: SeDebugPrivilege 2032 5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1980 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1980	iexplore.exe
1980	iexplore.exe
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exeAppLaunch.exeiexplore.exe

description	pid	process	target process
PID 2032 wrote to memory of 1992	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1992	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1992	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1992	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 568	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 568	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 568	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 568	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1316	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1316	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1316	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1316	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1592	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1592	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1592	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1592	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1192	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1192	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1192	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1192	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1380	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1380	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1380	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1380	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1692	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1692	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1692	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1692	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 816	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 816	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 816	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 816	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1952	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1952	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1952	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1952	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1664	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1664	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1664	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1664	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1900	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	AppLaunch.exe
PID 2032 wrote to memory of 1548	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1548	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1548	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 2032 wrote to memory of 1548	2032	5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe	ping.exe
PID 1900 wrote to memory of 1980	1900	AppLaunch.exe	iexplore.exe
PID 1900 wrote to memory of 1980	1900	AppLaunch.exe	iexplore.exe
PID 1900 wrote to memory of 1980	1900	AppLaunch.exe	iexplore.exe
PID 1900 wrote to memory of 1980	1900	AppLaunch.exe	iexplore.exe
PID 1980 wrote to memory of 1904	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 1904	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 1904	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 1904	1980	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe
"C:\Users\Admin\AppData\Local\Temp\5ba1ec417eed18b3f39bd6a83d171d9df8b6336adc966afaf083995d77c5fae4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1992

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:568

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1316

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1592

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1192

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1380

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1692

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:816

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1952

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:537610 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:209945 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:209957 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:1061904 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1548

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:304

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1996

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:904

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1660

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:584

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1604

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1648

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:456

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1276

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1956

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:1296

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:1976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:1816

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:2088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:2100

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:2336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:2348

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:2460

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "mstsc" /t REG_SZ /F /D "C:\Users\Admin\Documents\mstsc\mstsc.exe
2⤵
- Adds Run key to start application
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\66YCQLJB.txt

Filesize
539B

MD5
524f6844de1b915c8dd62792b8bfa233

SHA1
f1d027439b2f716b6154ad3c0d97be0326e5bef6

SHA256
a75c30687ee055594c634afab85d3fa633df946b0c48506e1f27e2933cfc12ae

SHA512
c9c213f72dd8b2336f5a0136bd7afc9efb0865aa18f29f4dbbcb1f6d9ac3f1d0082c47530837d03e2cb5597fbfd420cd5899061d0e6d316a6bc2bef80e8bcb78

Download Submit
memory/304-81-0x0000000000000000-mapping.dmp

Download
memory/456-88-0x0000000000000000-mapping.dmp

Download
memory/568-57-0x0000000000000000-mapping.dmp

Download
memory/584-85-0x0000000000000000-mapping.dmp

Download
memory/816-64-0x0000000000000000-mapping.dmp

Download
memory/904-83-0x0000000000000000-mapping.dmp

Download
memory/1192-61-0x0000000000000000-mapping.dmp

Download
memory/1276-89-0x0000000000000000-mapping.dmp

Download
memory/1296-99-0x000000000041E73A-mapping.dmp

Download
memory/1316-58-0x0000000000000000-mapping.dmp

Download
memory/1380-62-0x0000000000000000-mapping.dmp

Download
memory/1548-76-0x0000000000000000-mapping.dmp

Download
memory/1592-59-0x0000000000000000-mapping.dmp

Download
memory/1604-86-0x0000000000000000-mapping.dmp

Download
memory/1648-87-0x0000000000000000-mapping.dmp

Download
memory/1660-84-0x0000000000000000-mapping.dmp

Download
memory/1664-66-0x0000000000000000-mapping.dmp

Download
memory/1692-63-0x0000000000000000-mapping.dmp

Download
memory/1816-113-0x000000000041E73A-mapping.dmp

Download
memory/1900-74-0x000000000041E73A-mapping.dmp

Download
memory/1900-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-77-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1920-91-0x0000000000000000-mapping.dmp

Download
memory/1952-65-0x0000000000000000-mapping.dmp

Download
memory/1956-90-0x0000000000000000-mapping.dmp

Download
memory/1976-105-0x0000000000000000-mapping.dmp

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download
memory/1996-82-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-60-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2088-120-0x0000000000000000-mapping.dmp

Download
memory/2100-128-0x000000000041E73A-mapping.dmp

Download
memory/2336-134-0x0000000000000000-mapping.dmp

Download
memory/2348-142-0x000000000041E73A-mapping.dmp

Download
memory/2448-148-0x0000000000000000-mapping.dmp

Download
memory/2460-156-0x000000000041E73A-mapping.dmp

Download
memory/2636-162-0x0000000000000000-mapping.dmp

Download
memory/2652-170-0x000000000041E73A-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads