Analysis Overview
SHA256
9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea
Threat Level: Known bad
The file 9c8b27cd0131c5451b869eebce9518bf.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-18 06:46
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-18 06:46
Reported
2022-11-18 06:48
Platform
win10v2004-20220812-en
Max time kernel
69s
Max time network
151s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2112 set thread context of 540 | N/A | C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AGP Monitor\agpmon.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AGP Monitor\agpmon.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe
"C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | lndcin.com | udp |
| N/A | 162.213.255.22:80 | lndcin.com | tcp |
| N/A | 8.8.8.8:53 | maxlogs.webhop.me | udp |
| N/A | 79.134.225.6:1620 | maxlogs.webhop.me | tcp |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 51.116.253.170:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp |
Files
memory/2112-132-0x0000000000FE0000-0x0000000000FE8000-memory.dmp
memory/2112-133-0x0000000006090000-0x0000000006634000-memory.dmp
memory/2112-134-0x00000000059C0000-0x0000000005A52000-memory.dmp
memory/2112-135-0x0000000005990000-0x000000000599A000-memory.dmp
memory/2112-136-0x000000000B330000-0x000000000B352000-memory.dmp
memory/540-137-0x0000000000000000-mapping.dmp
memory/540-138-0x0000000000400000-0x0000000000438000-memory.dmp
memory/540-139-0x0000000005760000-0x00000000057FC000-memory.dmp
memory/540-140-0x0000000006F10000-0x0000000006F76000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-18 06:46
Reported
2022-11-18 06:48
Platform
win7-20221111-en
Max time kernel
55s
Max time network
151s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1272 set thread context of 1176 | N/A | C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe
"C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | lndcin.com | udp |
| N/A | 162.213.255.22:80 | lndcin.com | tcp |
| N/A | 8.8.8.8:53 | maxlogs.webhop.me | udp |
| N/A | 79.134.225.6:1620 | maxlogs.webhop.me | tcp |
Files
memory/1272-54-0x0000000000940000-0x0000000000948000-memory.dmp
memory/1272-55-0x0000000075531000-0x0000000075533000-memory.dmp
memory/1272-56-0x000000000A040000-0x000000000A262000-memory.dmp
memory/1176-57-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-58-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-61-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-64-0x000000000041E792-mapping.dmp
memory/1176-66-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-68-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-70-0x0000000000290000-0x000000000029A000-memory.dmp
memory/1176-71-0x00000000002C0000-0x00000000002DE000-memory.dmp
memory/1176-72-0x00000000002A0000-0x00000000002AA000-memory.dmp
memory/1176-73-0x0000000004EF5000-0x0000000004F06000-memory.dmp
memory/1176-74-0x00000000005D0000-0x00000000005E2000-memory.dmp
memory/1176-75-0x0000000000AC0000-0x0000000000ADA000-memory.dmp
memory/1176-76-0x0000000000AE0000-0x0000000000AEE000-memory.dmp
memory/1176-77-0x0000000000C00000-0x0000000000C12000-memory.dmp
memory/1176-79-0x0000000000E20000-0x0000000000E2E000-memory.dmp
memory/1176-78-0x0000000000E10000-0x0000000000E1C000-memory.dmp
memory/1176-80-0x0000000000E30000-0x0000000000E44000-memory.dmp
memory/1176-81-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/1176-82-0x0000000000F90000-0x0000000000FA4000-memory.dmp
memory/1176-83-0x0000000000FE0000-0x0000000000FEE000-memory.dmp
memory/1176-84-0x00000000048F0000-0x000000000491E000-memory.dmp
memory/1176-85-0x0000000001000000-0x0000000001014000-memory.dmp