Resubmissions
11/11/2023, 19:31
231111-x8drpabc5z 10Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
11/11/2023, 19:31
General
-
Target
hellsing (desync).exe
-
Size
210KB
-
MD5
d5e1f1c116ec87d5a87cd658a1f5ea14
-
SHA1
fb504851b1c844ef54f0bb0de6e169b7d70a8e99
-
SHA256
1fa01c5bc146dad0626756cf1e49065ed9934b3b1a12b75f2ba20daa213fb8c8
-
SHA512
dc0b0b5f4dc902d5e2992a8de19aa0fbda1f86b9075abf84a501ed5a64d1fc8f4d0fbbfcc40ec8187f5c65f1148f7bf65d6941e3d690a25d778c7032a04e01d7
-
SSDEEP
6144:SLV6Bta6dtJmakIM5ClRJg66MRyxF8DVI2d3F:SLV6BtpmkXuEUGVImV
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\hellsing (desync).exe"C:\Users\Admin\AppData\Local\Temp\hellsing (desync).exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "TCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "TCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp894D.tmp"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59e8e91cc3350c7392200313dc77cf585
SHA16fa1974f4c462f051d2274c2c7067a54e6a87b7e
SHA256ba956e40f7b63266274a3e89623628756495b44361757ce3f36db1bbe662202c
SHA512873692bab1f22dafbade9b65ddec98588a776f9b5a74199b285ee9b432487e22a85cf8f5d7a20b3a27787268efedc42eb6856dd7586955185c0fdd995df693b8
-
Filesize
1KB
MD5112800c9e4e657831029fcec32627580
SHA1034416597bd5d227f23149788cbfb183083c2afc
SHA256beefa06238552287f2eeedc9851b5c2147b187c221ff7db639359c8a8e5e3cd2
SHA512daa1050d3cbda6d9637952bf31ddc0aa2db626703f691bc97b59b31cf5b7e490caa4aedbeec6090a5fc66992ee7b000af9f55ff7b0549ae4d54a6be67674539d
-
Filesize
40KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
48KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB