Analysis Overview
SHA256
10baa6d05b3c183c369b55d8e25561f44f8afe37267bfa704019b72573eb6fcf
Threat Level: Known bad
The file 10baa6d05b3c183c369b55d8e25561f44f8afe37267bfa704019b72573eb6fcf was found to be: Known bad.
Malicious Activity Summary
NanoCore
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 23:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 23:55
Reported
2022-11-27 17:31
Platform
win7-20220812-en
Max time kernel
41s
Max time network
68s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img_0928211.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img_0928211.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img_0928211.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img_0928211.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\99o623u41dw = "C:\\Users\\Admin\\99o623u41dw\\slimnvmimjjkbr.vbs" | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 944 set thread context of 1348 | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\img_0928211.exe
"C:\Users\Admin\AppData\Local\Temp\img_0928211.exe"
C:\Users\Admin\99o623u41dw\gfcbk.exe
"C:\Users\Admin\99o623u41dw\gfcbk.exe" arjegv
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\99O623~1\run.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\99O623~1\run.vbs"
Network
| Country | Destination | Domain | Proto |
| N/A | 23.73.0.160:443 | tcp | |
| N/A | 23.73.0.164:443 | tcp | |
| N/A | 23.73.0.164:443 | tcp | |
| N/A | 23.73.0.164:443 | tcp | |
| N/A | 23.73.0.164:443 | tcp |
Files
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp
\Users\Admin\99o623u41dw\gfcbk.exe
| MD5 | 205e802415422fa581afd6973e61d0e4 |
| SHA1 | aa9abf929198f24af7e57f1864a6d370649e2af2 |
| SHA256 | 3c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c |
| SHA512 | 8273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59 |
\Users\Admin\99o623u41dw\gfcbk.exe
| MD5 | 205e802415422fa581afd6973e61d0e4 |
| SHA1 | aa9abf929198f24af7e57f1864a6d370649e2af2 |
| SHA256 | 3c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c |
| SHA512 | 8273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59 |
\Users\Admin\99o623u41dw\gfcbk.exe
| MD5 | 205e802415422fa581afd6973e61d0e4 |
| SHA1 | aa9abf929198f24af7e57f1864a6d370649e2af2 |
| SHA256 | 3c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c |
| SHA512 | 8273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59 |
\Users\Admin\99o623u41dw\gfcbk.exe
| MD5 | 205e802415422fa581afd6973e61d0e4 |
| SHA1 | aa9abf929198f24af7e57f1864a6d370649e2af2 |
| SHA256 | 3c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c |
| SHA512 | 8273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59 |
memory/944-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\99o623u41dw\gfcbk.exe
| MD5 | 205e802415422fa581afd6973e61d0e4 |
| SHA1 | aa9abf929198f24af7e57f1864a6d370649e2af2 |
| SHA256 | 3c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c |
| SHA512 | 8273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59 |
C:\Users\Admin\99o623u41dw\arjegv
| MD5 | e8a49826e98e50df869a51cd31781079 |
| SHA1 | 451437b6d6cc7cb287e114e7beca6ce74fb39d57 |
| SHA256 | fc22c9533e7109817e21d9a4e6cf1dd800ec8f531914757ffc79f1d7d6886263 |
| SHA512 | 80e3c9b86b35a7ed815d6f16f5869f1d172a2f38b3528ece2ca208df3406aca245517771d408aafeae8fba97a328aadf95a675e305b330f0614cfce6f441c4a1 |
C:\Users\Admin\99O623~1\piuqnjuz.NZW
| MD5 | e7ed5b3ce727a6a3b2880c5425635a53 |
| SHA1 | 9d7cc91df067969232fdd914eab9c72cb2f8227e |
| SHA256 | ec00d718336b97497192c9b919e1a3704db4e2bfdef7ddcf69abddf46269fdbc |
| SHA512 | d6a8d1b93a17bb11efbfcf996cae9568cd8d4dda7f91d137875bec67b164c4b36a2f6a744cfafc8f194825133b0feaac1b49b457c928becc8ea732bd6a0b9bab |
C:\Users\Admin\99O623~1\KXKRZT~1.JKD
| MD5 | 5af78a7ae95dc6dbf695b7c467d8b5cf |
| SHA1 | 10f23008204410a796b973d9650640d8b741fee2 |
| SHA256 | 09eaa6dc4de1fac152662f4a2b50e724a7835b3c7883c3cd41fb67ee1e1fe04d |
| SHA512 | 39b7d5931a7c2a0d8176fdaa5b4af4a8d1a4d5baac0865fac40d984b890e9ee9748c64361e50d2c4ce4fdc8a7f3503ca0ad9c311faba09e9e40a843dc35431ce |
memory/1348-66-0x000000000041EDAE-mapping.dmp
memory/880-67-0x0000000000000000-mapping.dmp
memory/812-69-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 23:55
Reported
2022-11-27 17:31
Platform
win10v2004-20220901-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| N/A | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\img_0928211.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\99o623u41dw = "C:\\Users\\Admin\\99o623u41dw\\slimnvmimjjkbr.vbs" | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\99o623u41dw = "C:\\Users\\Admin\\99o623u41dw\\slimnvmimjjkbr.vbs" | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1656 set thread context of 1660 | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 3540 set thread context of 1580 | N/A | C:\Users\Admin\99o623u41dw\gfcbk.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Users\Admin\99o623u41dw\gfcbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\img_0928211.exe
"C:\Users\Admin\AppData\Local\Temp\img_0928211.exe"
C:\Users\Admin\99o623u41dw\gfcbk.exe
"C:\Users\Admin\99o623u41dw\gfcbk.exe" arjegv
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1660 -ip 1660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 80
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\99O623~1\run.vbs"
C:\Users\Admin\99o623u41dw\gfcbk.exe
"C:\Users\Admin\99o623u41dw\gfcbk.exe" arjegv
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.44:443 | tcp | |
| N/A | 20.42.65.84:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 8.8.8.8:53 | nattyma.no-ip.biz | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.229.204:443 | tcp |
Files
C:\Users\Admin\99o623u41dw\gfcbk.exe
| MD5 | 205e802415422fa581afd6973e61d0e4 |
| SHA1 | aa9abf929198f24af7e57f1864a6d370649e2af2 |
| SHA256 | 3c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c |
| SHA512 | 8273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59 |
C:\Users\Admin\99o623u41dw\gfcbk.exe
| MD5 | 205e802415422fa581afd6973e61d0e4 |
| SHA1 | aa9abf929198f24af7e57f1864a6d370649e2af2 |
| SHA256 | 3c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c |
| SHA512 | 8273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59 |
memory/1656-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\99o623u41dw\arjegv
| MD5 | e8a49826e98e50df869a51cd31781079 |
| SHA1 | 451437b6d6cc7cb287e114e7beca6ce74fb39d57 |
| SHA256 | fc22c9533e7109817e21d9a4e6cf1dd800ec8f531914757ffc79f1d7d6886263 |
| SHA512 | 80e3c9b86b35a7ed815d6f16f5869f1d172a2f38b3528ece2ca208df3406aca245517771d408aafeae8fba97a328aadf95a675e305b330f0614cfce6f441c4a1 |
C:\Users\Admin\99O623~1\piuqnjuz.NZW
| MD5 | e7ed5b3ce727a6a3b2880c5425635a53 |
| SHA1 | 9d7cc91df067969232fdd914eab9c72cb2f8227e |
| SHA256 | ec00d718336b97497192c9b919e1a3704db4e2bfdef7ddcf69abddf46269fdbc |
| SHA512 | d6a8d1b93a17bb11efbfcf996cae9568cd8d4dda7f91d137875bec67b164c4b36a2f6a744cfafc8f194825133b0feaac1b49b457c928becc8ea732bd6a0b9bab |
C:\Users\Admin\99O623~1\KXKRZT~1.JKD
| MD5 | 5af78a7ae95dc6dbf695b7c467d8b5cf |
| SHA1 | 10f23008204410a796b973d9650640d8b741fee2 |
| SHA256 | 09eaa6dc4de1fac152662f4a2b50e724a7835b3c7883c3cd41fb67ee1e1fe04d |
| SHA512 | 39b7d5931a7c2a0d8176fdaa5b4af4a8d1a4d5baac0865fac40d984b890e9ee9748c64361e50d2c4ce4fdc8a7f3503ca0ad9c311faba09e9e40a843dc35431ce |
memory/1660-138-0x0000000000000000-mapping.dmp
memory/4312-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\99O623~1\run.vbs
| MD5 | e691daeccb1a1cfd97689d488a259a58 |
| SHA1 | 16ce3499fed564101753295fabab38c5a4cea107 |
| SHA256 | 2229da69670276efbccb36d4fb72c17b532841c16a735e8e8aa3701a8bf3ebaf |
| SHA512 | 20ef3fb0d139ceed038e5b98aed9673ca737506b8f9bdab8e727b62f2dcf38300ec5a1cc8a657e64854e5e1abc926f3707b7ade085bc3a6c0d8c45199ef947a4 |
memory/3540-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\99o623u41dw\gfcbk.exe
| MD5 | 205e802415422fa581afd6973e61d0e4 |
| SHA1 | aa9abf929198f24af7e57f1864a6d370649e2af2 |
| SHA256 | 3c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c |
| SHA512 | 8273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59 |
memory/1580-144-0x0000000000000000-mapping.dmp
memory/1580-145-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1580-146-0x0000000073F60000-0x0000000074511000-memory.dmp
memory/1580-147-0x0000000073F60000-0x0000000074511000-memory.dmp