Analysis Overview
SHA256
e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9
Threat Level: Known bad
The file e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-27 00:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-27 00:02
Reported
2022-11-27 17:41
Platform
win7-20221111-en
Max time kernel
191s
Max time network
197s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 576 set thread context of 668 | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ISS Manager\issmgr.exe | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
| File created | C:\Program Files (x86)\ISS Manager\issmgr.exe | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"
C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
Files
memory/576-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
memory/576-55-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/576-56-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/576-57-0x00000000020E6000-0x00000000020F7000-memory.dmp
memory/668-58-0x0000000000080000-0x00000000000DA000-memory.dmp
memory/668-59-0x0000000000080000-0x00000000000DA000-memory.dmp
memory/668-61-0x0000000000080000-0x00000000000DA000-memory.dmp
memory/668-62-0x0000000000080000-0x00000000000DA000-memory.dmp
memory/668-65-0x000000000041E792-mapping.dmp
memory/668-66-0x0000000000080000-0x00000000000DA000-memory.dmp
memory/668-67-0x0000000000080000-0x00000000000DA000-memory.dmp
memory/668-71-0x0000000000080000-0x00000000000DA000-memory.dmp
memory/668-74-0x0000000000080000-0x00000000000DA000-memory.dmp
memory/576-76-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/576-77-0x00000000020E6000-0x00000000020F7000-memory.dmp
memory/668-78-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/668-79-0x0000000074610000-0x0000000074BBB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-27 00:02
Reported
2022-11-27 17:40
Platform
win10v2004-20220901-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3704 set thread context of 4956 | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"
C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.4.4:53 | funnypic.dyndns-remote.com | udp |
| N/A | 8.8.8.8:53 | funnypic.dyndns-remote.com | udp |
Files
memory/3704-132-0x00000000753C0000-0x0000000075971000-memory.dmp
memory/3704-133-0x00000000753C0000-0x0000000075971000-memory.dmp
memory/4956-134-0x0000000000000000-mapping.dmp
memory/4956-135-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe.log
| MD5 | 3bc2150211e33cd343b025da5a9b1457 |
| SHA1 | a180ee6e62a496a226590390651a1d3708c7b89c |
| SHA256 | ff2e05f53cc9b927bed429bb2df53290223b459c49be1bea6b0ef13c52903787 |
| SHA512 | e192903a8d0855203615c2ddd60c45c791492327fcd8a025e1dd1744cc2a526a4e90b8619e19b170f3ed808f3cbe4c839dc86fc70d97c5b0fb86ea529b78442c |
memory/3704-137-0x00000000753C0000-0x0000000075971000-memory.dmp
memory/4956-138-0x00000000753C0000-0x0000000075971000-memory.dmp
memory/4956-139-0x00000000753C0000-0x0000000075971000-memory.dmp