Resubmissions
11/11/2023, 19:31
231111-x8drpabc5z 10Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
11/11/2023, 19:31
General
-
Target
hellsing (desync).exe
-
Size
210KB
-
MD5
d5e1f1c116ec87d5a87cd658a1f5ea14
-
SHA1
fb504851b1c844ef54f0bb0de6e169b7d70a8e99
-
SHA256
1fa01c5bc146dad0626756cf1e49065ed9934b3b1a12b75f2ba20daa213fb8c8
-
SHA512
dc0b0b5f4dc902d5e2992a8de19aa0fbda1f86b9075abf84a501ed5a64d1fc8f4d0fbbfcc40ec8187f5c65f1148f7bf65d6941e3d690a25d778c7032a04e01d7
-
SSDEEP
6144:SLV6Bta6dtJmakIM5ClRJg66MRyxF8DVI2d3F:SLV6BtpmkXuEUGVImV
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\hellsing (desync).exe"C:\Users\Admin\AppData\Local\Temp\hellsing (desync).exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "AGP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8CFE.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "AGP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8E76.tmp"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59e8e91cc3350c7392200313dc77cf585
SHA16fa1974f4c462f051d2274c2c7067a54e6a87b7e
SHA256ba956e40f7b63266274a3e89623628756495b44361757ce3f36db1bbe662202c
SHA512873692bab1f22dafbade9b65ddec98588a776f9b5a74199b285ee9b432487e22a85cf8f5d7a20b3a27787268efedc42eb6856dd7586955185c0fdd995df693b8
-
Filesize
1KB
MD5939c174b0103a84ef8e847bfd6ffba03
SHA12365d289c56ec180ba69940b8b09a739f78e6518
SHA256caa9f74b043d7e7b7e84d465b99e8c95f0c71e586be0e4bfdf0f9ce1e10cd840
SHA512c19588c4e399b7b7120fb5ededb84c6e7ecbb3a644cc641af787c8cca9c91f1d6e567f83f03d2ceccffbead2120f6250b51bbd3595a38d3b716ebf03759376eb
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
9.6MB
-
Filesize
664KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
40KB
-
Filesize
1024KB
-
Filesize
9.6MB
-
Filesize
64KB
-
Filesize
9.6MB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
1024KB