Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
10-06-2023 02:47
General
-
Target
aaf14dba92dff1b1970e5fc870210431.exe
-
Size
203KB
-
MD5
aaf14dba92dff1b1970e5fc870210431
-
SHA1
2daf65ec83dbd11a3f963cbc66bdc5116e554e76
-
SHA256
5939c954dce802b621cc345926168eeda349c39e75cd1cd2a4104096f854d908
-
SHA512
0bd45f861331d7f8b472123c051ba936bfa3d66c1e1922f6b21206cadda030b0fbb0987c839b2413fa4a24366099762e783a774761c28dd84a1266ddef163bec
-
SSDEEP
6144:sLV6Bta6dtJmakIM5b8GL+1WUQ52F+/8Ej4ei:sLV6BtpmkXGLUcQsEEj4X
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaf14dba92dff1b1970e5fc870210431.exe"C:\Users\Admin\AppData\Local\Temp\aaf14dba92dff1b1970e5fc870210431.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp81C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA9D.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp81C.tmpFilesize
1KB
MD5c90e2487d6823743a2bbe9aab13029a5
SHA1af4396dbfe2b782f4875c8e87e85b3d26c0774d1
SHA256ac62e4505a02980e126bcc52cab99e2590eac7ea0f80c7d1233caff562e4e992
SHA5125f43c193de76144ed0e49aeae512099693bdd6d867565fab7b39bf63e22ce37dd3e04529a4a0cb49605f13203b43d50e1bb86f7e8a7f4359ae42a558a7175a9a
-
C:\Users\Admin\AppData\Local\Temp\tmpA9D.tmpFilesize
1KB
MD5cc41562853d473a6d8785f7887ed523f
SHA15be25b133c7a5cbc1b240822e87f3cbe94aaa312
SHA256a259d5fb27ddfee2968c9b1c1346121934b35bda37f9f446e9470a72cb95c2b7
SHA512678c59e91d604607c7a3576dcab70eac4fb6af40d9f9db799a7a9fee67a1dd306a1a8b3bc4885e46fa6ab75970bb37fd62e6dcc66c61c09413d59991f90f12fd
-
memory/1208-57-0x0000000000070000-0x00000000000B0000-memory.dmpFilesize
256KB
-
memory/1208-62-0x0000000000070000-0x00000000000B0000-memory.dmpFilesize
256KB