Analysis Overview
SHA256
c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d
Threat Level: Known bad
The file c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d was found to be: Known bad.
Malicious Activity Summary
Nanocore family
NanoCore
Checks whether UAC is enabled
Adds Run key to start application
Drops file in Program Files directory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 23:48
Signatures
Nanocore family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 23:48
Reported
2022-11-27 17:19
Platform
win7-20220901-en
Max time kernel
148s
Max time network
49s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\AGP Manager\agpmgr.exe | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
| File created | C:\Program Files (x86)\AGP Manager\agpmgr.exe | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe
"C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD99.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | markus13.chickenkiller.com | udp |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp |
Files
memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmp
memory/1640-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp
| MD5 | 3a73c4001d745adf4e70e4562531ffec |
| SHA1 | fb10145c878e931fb318fc7c51817cf7e6fae687 |
| SHA256 | 5f9514bf173f3f8403fe7f931e922629f839103d91bd73d77916561dcc13b019 |
| SHA512 | 0299413bc5094710d399f8a50253f4aa0a68cd14024da4713917b305bc6e57ecf7385846563bd16bdfab88671237df31c943b7587c3fcd7137820f5f07c68534 |
memory/1168-57-0x0000000074720000-0x0000000074CCB000-memory.dmp
memory/764-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD99.tmp
| MD5 | 885d6dd30570594e167fadb59d9ca0ea |
| SHA1 | 9981e583644c4eb9cf5056615a0e1c2913c8983b |
| SHA256 | 7155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2 |
| SHA512 | 1623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a |
memory/1168-60-0x0000000074720000-0x0000000074CCB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 23:48
Reported
2022-11-27 17:19
Platform
win10v2004-20220901-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe
"C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF58.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE14D.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | markus13.chickenkiller.com | udp |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 52.182.141.63:443 | tcp | |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp | |
| N/A | 127.0.0.2:1640 | tcp |
Files
memory/3868-132-0x0000000074750000-0x0000000074D01000-memory.dmp
memory/4924-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDF58.tmp
| MD5 | 3a73c4001d745adf4e70e4562531ffec |
| SHA1 | fb10145c878e931fb318fc7c51817cf7e6fae687 |
| SHA256 | 5f9514bf173f3f8403fe7f931e922629f839103d91bd73d77916561dcc13b019 |
| SHA512 | 0299413bc5094710d399f8a50253f4aa0a68cd14024da4713917b305bc6e57ecf7385846563bd16bdfab88671237df31c943b7587c3fcd7137820f5f07c68534 |
memory/364-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE14D.tmp
| MD5 | 2f26d92c1eeead3896820e56ec46f6f1 |
| SHA1 | d95533b61eed7d89e4ada56bc566d60e42ac1f61 |
| SHA256 | 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa |
| SHA512 | 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892 |
memory/3868-137-0x0000000074750000-0x0000000074D01000-memory.dmp