Analysis Overview
SHA256
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
Threat Level: Known bad
The file DOCKING SURVEY CHECKLIST.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-15 23:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-15 23:54
Reported
2022-11-15 23:56
Platform
win7-20221111-en
Max time kernel
67s
Max time network
152s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1368 set thread context of 788 | N/A | C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe
"C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp868F.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8883.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | brewsterchristophe.ddns.net | udp |
| N/A | 185.216.71.149:5899 | brewsterchristophe.ddns.net | tcp |
Files
memory/1368-54-0x0000000001150000-0x00000000011B2000-memory.dmp
memory/1368-55-0x0000000075011000-0x0000000075013000-memory.dmp
memory/1488-56-0x0000000000000000-mapping.dmp
memory/1368-57-0x0000000000250000-0x000000000026C000-memory.dmp
memory/788-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/788-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/788-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/788-62-0x0000000000400000-0x0000000000438000-memory.dmp
memory/788-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/788-66-0x000000000041E792-mapping.dmp
memory/788-68-0x0000000000400000-0x0000000000438000-memory.dmp
memory/788-70-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1476-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp868F.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
memory/1692-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8883.tmp
| MD5 | 981e126601526eaa5b0ad45c496c4465 |
| SHA1 | d610d6a21a8420cc73fcd3e54ddae75a5897b28b |
| SHA256 | 11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527 |
| SHA512 | a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb |
memory/788-76-0x00000000003D0000-0x00000000003DA000-memory.dmp
memory/788-77-0x00000000003E0000-0x00000000003FE000-memory.dmp
memory/788-78-0x00000000004E0000-0x00000000004EA000-memory.dmp
memory/1488-79-0x000000006FD40000-0x00000000702EB000-memory.dmp
memory/1488-80-0x000000006FD40000-0x00000000702EB000-memory.dmp
memory/788-81-0x0000000000510000-0x0000000000522000-memory.dmp
memory/788-82-0x0000000000530000-0x000000000054A000-memory.dmp
memory/788-83-0x0000000000560000-0x000000000056E000-memory.dmp
memory/788-85-0x0000000000610000-0x000000000061E000-memory.dmp
memory/788-84-0x00000000005C0000-0x00000000005D2000-memory.dmp
memory/788-86-0x0000000000710000-0x000000000071C000-memory.dmp
memory/788-87-0x0000000000720000-0x0000000000734000-memory.dmp
memory/788-88-0x0000000000730000-0x0000000000740000-memory.dmp
memory/788-89-0x0000000000750000-0x0000000000764000-memory.dmp
memory/788-90-0x00000000007E0000-0x00000000007EE000-memory.dmp
memory/788-91-0x0000000000800000-0x000000000082E000-memory.dmp
memory/788-92-0x0000000000830000-0x0000000000844000-memory.dmp
memory/788-93-0x00000000049D5000-0x00000000049E6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-15 23:54
Reported
2022-11-15 23:56
Platform
win10v2004-20221111-en
Max time kernel
50s
Max time network
151s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4824 set thread context of 1060 | N/A | C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DSL Manager\dslmgr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DSL Manager\dslmgr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe
"C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\DOCKING SURVEY CHECKLIST.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Syxbdhdstem.exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF5FD.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF6D9.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | brewsterchristophe.ddns.net | udp |
| N/A | 185.216.71.149:5899 | brewsterchristophe.ddns.net | tcp |
| N/A | 20.50.73.10:443 | tcp |
Files
memory/4824-132-0x0000000000E20000-0x0000000000E82000-memory.dmp
memory/4824-133-0x0000000008040000-0x00000000080DC000-memory.dmp
memory/4824-134-0x0000000008690000-0x0000000008C34000-memory.dmp
memory/4248-135-0x0000000000000000-mapping.dmp
memory/4248-136-0x0000000002F90000-0x0000000002FC6000-memory.dmp
memory/4248-137-0x0000000005C50000-0x0000000006278000-memory.dmp
memory/1060-138-0x0000000000000000-mapping.dmp
memory/1060-139-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1060-140-0x0000000005360000-0x00000000053F2000-memory.dmp
memory/4248-141-0x0000000005810000-0x0000000005832000-memory.dmp
memory/4248-142-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/4248-143-0x0000000006280000-0x00000000062E6000-memory.dmp
memory/1060-144-0x0000000005320000-0x000000000532A000-memory.dmp
memory/1500-145-0x0000000000000000-mapping.dmp
memory/4248-146-0x00000000068C0000-0x00000000068DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF5FD.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
memory/3164-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF6D9.tmp
| MD5 | a0bcaf1694d4fcae2c44258530850f35 |
| SHA1 | 99e9ccea3a9dca8d94808f6488fdc37c0b3bfe73 |
| SHA256 | 099c4a82d8e8ddf5ff801a8f08fb5a143834506e936ce846b380a42eb24e888e |
| SHA512 | ad3f2fbc09f7d57c24a35a62f00251c93d480e065f3b7fbc7133736cb144a3031fdc9f3e8be8a1c6dcdb8b3def654618faab416f66a28628ab71e55de4df0da3 |
memory/4248-150-0x0000000006E20000-0x0000000006EB6000-memory.dmp
memory/4248-152-0x0000000007880000-0x00000000078A2000-memory.dmp
memory/4248-151-0x0000000006DB0000-0x0000000006DCA000-memory.dmp