Analysis Overview
SHA256
3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b
Threat Level: Known bad
The file 3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b was found to be: Known bad.
Malicious Activity Summary
NanoCore
Nanocore family
Checks whether UAC is enabled
Adds Run key to start application
Drops file in Program Files directory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 23:01
Signatures
Nanocore family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 23:01
Reported
2022-11-27 16:40
Platform
win7-20221111-en
Max time kernel
161s
Max time network
179s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ISS Manager\issmgr.exe | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ISS Manager\issmgr.exe | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe
"C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDA8.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp20AC.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | lazyshare.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 35.212.156.187:80 | lazyshare.net | tcp |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
Files
memory/1628-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp
memory/1628-55-0x0000000074620000-0x0000000074BCB000-memory.dmp
memory/1428-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDA8.tmp
| MD5 | 37e353043872dd9871820b5a1b667a3c |
| SHA1 | d957a0d83dad1fd90156b80260ed980c2215c2b3 |
| SHA256 | a8b0fcd21f2cd626bd19bca8900f6fa993ce554378cb48e670e90a6388e368a2 |
| SHA512 | b76d8e64de10c2df82248896adba3b01439f0fb71b3b890d4fcf0eef46a7cb60be7375b633a9daf2130696a4280131a82e34514c0e0cf7a6573227dd2e013fb2 |
memory/1480-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp20AC.tmp
| MD5 | ea7095fa975a5ac043c9de2899ce61d0 |
| SHA1 | ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3 |
| SHA256 | 5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f |
| SHA512 | b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb |
memory/1628-60-0x0000000074620000-0x0000000074BCB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 23:01
Reported
2022-11-27 16:39
Platform
win10v2004-20220901-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe
"C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAD7B.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAED4.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | lazyshare.net | udp |
| N/A | 35.212.156.187:80 | lazyshare.net | tcp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 51.132.193.104:443 | tcp | |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 8.8.4.4:53 | actuall.ddns.net | udp |
| N/A | 8.8.8.8:53 | actuall.ddns.net | udp |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp | |
| N/A | 127.0.0.1:9005 | tcp |
Files
memory/372-135-0x0000000000000000-mapping.dmp
memory/1508-136-0x00000000750E0000-0x0000000075691000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAD7B.tmp
| MD5 | 37e353043872dd9871820b5a1b667a3c |
| SHA1 | d957a0d83dad1fd90156b80260ed980c2215c2b3 |
| SHA256 | a8b0fcd21f2cd626bd19bca8900f6fa993ce554378cb48e670e90a6388e368a2 |
| SHA512 | b76d8e64de10c2df82248896adba3b01439f0fb71b3b890d4fcf0eef46a7cb60be7375b633a9daf2130696a4280131a82e34514c0e0cf7a6573227dd2e013fb2 |
memory/4660-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAED4.tmp
| MD5 | 2f26d92c1eeead3896820e56ec46f6f1 |
| SHA1 | d95533b61eed7d89e4ada56bc566d60e42ac1f61 |
| SHA256 | 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa |
| SHA512 | 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892 |
memory/1508-140-0x00000000750E0000-0x0000000075691000-memory.dmp