Analysis
-
max time kernel
127s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-12-2022 09:13
General
-
Target
download.exe
-
Size
203KB
-
MD5
c7db7aecb55a508371570b7008897c2d
-
SHA1
93fb24242e0157acd65ca704a090c054ccfcb841
-
SHA256
8ccef55df6fad5510b1b81c7973df1620d9c7d7504598e755f50c130d1a5ed2e
-
SHA512
0b4a3973fb571070d6f87e069ae3bac1abc39892b817f0cdeb61d59479970659def16e8c07f4f5aa79c3d2c83386743f8980dcbeaaf68e61837a47d2a95b1d15
-
SSDEEP
3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIoySnfr0CEE9R4szJbGxBzU9yA:MLV6Bta6dtJmakIM5nnz0mJ+zAapx2
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\download.exe"C:\Users\Admin\AppData\Local\Temp\download.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9EC0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAA07.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9EC0.tmpFilesize
1KB
MD5b8e4cf4ba028d5a6217f44c16cedd0ef
SHA1886bc81c6b4e9c36825a3bb4d142836527492d16
SHA25613c02c1aad0c4c93787dd39b1ecf279316207765fff90a468d020ba89fedcab0
SHA51256979c996421ddbc09e693087301ac4f043bcfa88fdbd8afa8917518595b557b7240104ee9007009706a15e47e98b81052f142d1d271a9bf9007a744c4c8fa7c
-
C:\Users\Admin\AppData\Local\Temp\tmpAA07.tmpFilesize
1KB
MD50a24db62cb5b84309c4803346caaa25d
SHA167660778f61bb44168c33ed3fe56ed86cf9583e8
SHA25638d38647af394a04ee6add9f05c43244f04e64a6b96257f4b241a5038efa82df
SHA512d25d9df063f44595d5e0bf890755bd387655131ff369eeedf3d11ffcc6202ca4455bbb33a8a926dd06839cbd1ddec3d06809b3c66a82c6518aa14beaa469a548
-
memory/604-56-0x0000000000000000-mapping.dmp
-
memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1508-55-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/1508-60-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/1780-58-0x0000000000000000-mapping.dmp