Analysis Overview
SHA256
798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
Threat Level: Known bad
The file 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
NTFS ADS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 23:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 23:44
Reported
2022-11-27 17:15
Platform
win7-20220812-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sql_support.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1392 set thread context of 1488 | N/A | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\sql_support.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
"C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\aBBBBB.xml"
C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
"C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe"
C:\Users\Admin\AppData\Local\Temp\sql_support.exe
"C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 1488 C:\Users\Admin\AppData\Local\Temp\chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 0 > C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe:Zone.Identifier & exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\aUUUUU.xml"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.8.8:53 | intelligentminds14.mooo.com | udp |
| N/A | 8.8.4.4:53 | intelligentminds14.mooo.com | udp |
| N/A | 127.0.0.1:53896 | tcp |
Files
memory/1392-54-0x0000000075521000-0x0000000075523000-memory.dmp
memory/1392-55-0x00000000745A0000-0x0000000074B4B000-memory.dmp
memory/1524-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\aBBBBB.xml
| MD5 | 2c2b3ac9bdef149809bb454149b7e8df |
| SHA1 | 3d3fec0a80e3f0ca0e76b9fcff664819341be809 |
| SHA256 | 43a197a9ffa44eccd7b95bf5f06adb7dfa4432396585984fabb65ba0fe5c31ba |
| SHA512 | 4a94125391b50d83050b15918d84ba704638d6a372ae676d28f62672aa7449a4d69c7113da653ebe7776948c604f11686f57c2c654829e291ccb563abb98e3cc |
memory/1392-58-0x00000000745A0000-0x0000000074B4B000-memory.dmp
memory/1488-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1488-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1488-62-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1488-64-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1488-67-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1488-69-0x000000000041E792-mapping.dmp
memory/1488-71-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1488-73-0x0000000000400000-0x0000000000438000-memory.dmp
\Users\Admin\AppData\Local\Temp\sql_support.exe
| MD5 | 6a37314fe92378a49c260a32e766c4da |
| SHA1 | e809f3fa0769e264a549be8e7ea543fd7f96b34e |
| SHA256 | 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26 |
| SHA512 | f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5 |
\Users\Admin\AppData\Local\Temp\sql_support.exe
| MD5 | 6a37314fe92378a49c260a32e766c4da |
| SHA1 | e809f3fa0769e264a549be8e7ea543fd7f96b34e |
| SHA256 | 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26 |
| SHA512 | f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5 |
C:\Users\Admin\AppData\Local\Temp\sql_support.exe
| MD5 | 6a37314fe92378a49c260a32e766c4da |
| SHA1 | e809f3fa0769e264a549be8e7ea543fd7f96b34e |
| SHA256 | 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26 |
| SHA512 | f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5 |
memory/1488-81-0x00000000745A0000-0x0000000074B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sql_support.exe
| MD5 | 6a37314fe92378a49c260a32e766c4da |
| SHA1 | e809f3fa0769e264a549be8e7ea543fd7f96b34e |
| SHA256 | 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26 |
| SHA512 | f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5 |
memory/820-77-0x0000000000000000-mapping.dmp
memory/1628-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
| MD5 | 6a37314fe92378a49c260a32e766c4da |
| SHA1 | e809f3fa0769e264a549be8e7ea543fd7f96b34e |
| SHA256 | 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26 |
| SHA512 | f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5 |
memory/820-84-0x00000000745A0000-0x0000000074B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome.exe
| MD5 | 6a37314fe92378a49c260a32e766c4da |
| SHA1 | e809f3fa0769e264a549be8e7ea543fd7f96b34e |
| SHA256 | 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26 |
| SHA512 | f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5 |
memory/268-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\aUUUUU.xml
| MD5 | 2c2b3ac9bdef149809bb454149b7e8df |
| SHA1 | 3d3fec0a80e3f0ca0e76b9fcff664819341be809 |
| SHA256 | 43a197a9ffa44eccd7b95bf5f06adb7dfa4432396585984fabb65ba0fe5c31ba |
| SHA512 | 4a94125391b50d83050b15918d84ba704638d6a372ae676d28f62672aa7449a4d69c7113da653ebe7776948c604f11686f57c2c654829e291ccb563abb98e3cc |
memory/1488-88-0x00000000745A0000-0x0000000074B4B000-memory.dmp
memory/820-89-0x00000000745A0000-0x0000000074B4B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 23:44
Reported
2022-11-27 17:20
Platform
win10v2004-20221111-en
Max time kernel
330s
Max time network
402s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
"C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.42.65.89:443 | tcp | |
| N/A | 20.189.173.10:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/4188-132-0x0000000074AB0000-0x0000000075061000-memory.dmp
memory/4188-133-0x0000000074AB0000-0x0000000075061000-memory.dmp