Analysis Overview
SHA256
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
Threat Level: Known bad
The file DOCKING SURVEY CHECKLIST.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-15 23:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-15 23:54
Reported
2022-11-15 23:56
Platform
win7-20220812-en
Max time kernel
77s
Max time network
151s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1376 set thread context of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\UDP Service\udpsv.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UDP Service\udpsv.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe
"C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBEAE.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC0A3.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | brewsterchristophe.ddns.net | udp |
| N/A | 185.216.71.149:5899 | brewsterchristophe.ddns.net | tcp |
Files
memory/1376-54-0x0000000001180000-0x00000000011E2000-memory.dmp
memory/1376-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp
memory/1608-56-0x0000000000000000-mapping.dmp
memory/1376-58-0x0000000000450000-0x000000000046C000-memory.dmp
memory/1640-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1640-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1640-62-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1640-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1640-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1640-66-0x000000000041E792-mapping.dmp
memory/1640-70-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1640-68-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1608-72-0x00000000714F0000-0x0000000071A9B000-memory.dmp
memory/1816-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBEAE.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmpC0A3.tmp
| MD5 | 0a24db62cb5b84309c4803346caaa25d |
| SHA1 | 67660778f61bb44168c33ed3fe56ed86cf9583e8 |
| SHA256 | 38d38647af394a04ee6add9f05c43244f04e64a6b96257f4b241a5038efa82df |
| SHA512 | d25d9df063f44595d5e0bf890755bd387655131ff369eeedf3d11ffcc6202ca4455bbb33a8a926dd06839cbd1ddec3d06809b3c66a82c6518aa14beaa469a548 |
memory/1476-75-0x0000000000000000-mapping.dmp
memory/1640-77-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/1640-78-0x00000000003C0000-0x00000000003DE000-memory.dmp
memory/1640-79-0x00000000003B0000-0x00000000003BA000-memory.dmp
memory/1640-80-0x0000000002155000-0x0000000002166000-memory.dmp
memory/1640-81-0x0000000000930000-0x0000000000942000-memory.dmp
memory/1640-82-0x0000000000C60000-0x0000000000C7A000-memory.dmp
memory/1640-83-0x0000000000A90000-0x0000000000A9E000-memory.dmp
memory/1640-84-0x0000000002120000-0x0000000002132000-memory.dmp
memory/1640-85-0x0000000002130000-0x000000000213E000-memory.dmp
memory/1640-86-0x0000000002140000-0x000000000214C000-memory.dmp
memory/1640-87-0x0000000002190000-0x00000000021A4000-memory.dmp
memory/1640-88-0x00000000021A0000-0x00000000021B0000-memory.dmp
memory/1640-89-0x00000000022B0000-0x00000000022C4000-memory.dmp
memory/1640-90-0x0000000004300000-0x000000000430E000-memory.dmp
memory/1640-91-0x0000000004760000-0x000000000478E000-memory.dmp
memory/1640-92-0x0000000004320000-0x0000000004334000-memory.dmp
memory/1608-93-0x00000000714F0000-0x0000000071A9B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-15 23:54
Reported
2022-11-15 23:56
Platform
win10v2004-20221111-en
Max time kernel
91s
Max time network
151s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Monitor = "C:\\Program Files (x86)\\UPNP Monitor\\upnpmon.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4732 set thread context of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\UPNP Monitor\upnpmon.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UPNP Monitor\upnpmon.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe
"C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1211.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp13A8.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | brewsterchristophe.ddns.net | udp |
| N/A | 185.216.71.149:5899 | brewsterchristophe.ddns.net | tcp |
| N/A | 52.168.112.66:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/4732-132-0x0000000000F50000-0x0000000000FB2000-memory.dmp
memory/4732-133-0x00000000080A0000-0x000000000813C000-memory.dmp
memory/4732-134-0x00000000086F0000-0x0000000008C94000-memory.dmp
memory/1412-135-0x0000000000000000-mapping.dmp
memory/1412-136-0x0000000000C10000-0x0000000000C46000-memory.dmp
memory/3488-137-0x0000000000000000-mapping.dmp
memory/3488-138-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1412-139-0x0000000004CA0000-0x00000000052C8000-memory.dmp
memory/3488-140-0x0000000004F30000-0x0000000004FC2000-memory.dmp
memory/1412-141-0x00000000049F0000-0x0000000004A12000-memory.dmp
memory/1412-142-0x0000000004C10000-0x0000000004C76000-memory.dmp
memory/1412-143-0x0000000005380000-0x00000000053E6000-memory.dmp
memory/3488-144-0x0000000004FF0000-0x0000000004FFA000-memory.dmp
memory/1428-145-0x0000000000000000-mapping.dmp
memory/1412-146-0x0000000005A40000-0x0000000005A5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1211.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
memory/4320-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp13A8.tmp
| MD5 | c9a4c783d2e18eea86e071de92f36f02 |
| SHA1 | 4cb02db05386ccb70a23fa89dbadfddfc8f7b6af |
| SHA256 | 21d669a674eb23538f38f6822429d797e69e0685d18c0e6e03ec6801098b240a |
| SHA512 | b6d5198d9ca83687fcc491c02ad8b417e02dff0150b514c3d39d13b8de9ffba6f3779ee7bb6350b087474fb6e0d1bd10b8fdd5c8f48a46c9cfd183d9045b80ef |
memory/1412-150-0x0000000006A20000-0x0000000006AB6000-memory.dmp
memory/1412-151-0x0000000005F20000-0x0000000005F3A000-memory.dmp
memory/1412-152-0x0000000005F80000-0x0000000005FA2000-memory.dmp