Analysis
-
max time kernel
45s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31/12/2023, 00:48
General
-
Target
223665e6e6577334fcc3987df38e6100.exe
-
Size
1.4MB
-
MD5
223665e6e6577334fcc3987df38e6100
-
SHA1
ab748e2ecb0daebc4bac4618840110377e8ade21
-
SHA256
fdff2fa421d49740b428cea640d08b2ba1ba26aee2eebd516f4754748d086391
-
SHA512
e2579d89ee7d25c44105fced43ae0ca666a7933a5d5ce1bf023659d4aa04dc6d1fde745774075fd74ec5fcd804d1566a79e0faa78635d7df99aa5c5380e50baf
-
SSDEEP
24576:RZzUi76DOnofx8Dgofx8DgBffUXFqJv/7N2hR77ulzqTKostZdA9L:Qi76J58Dgo58DgBf8XFqJv/7N2hR77KC
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\223665e6e6577334fcc3987df38e6100.exe"C:\Users\Admin\AppData\Local\Temp\223665e6e6577334fcc3987df38e6100.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\223665e6e6577334fcc3987df38e6100.exe"2⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ibQllCItUmfdl.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ibQllCItUmfdl.exe"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibQllCItUmfdl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB73.tmp"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57e5e151f305ba9a83c2e67e8f0a76093
SHA15c4be9bf8ed62a205ed0e494ee5c57be2cd7e34a
SHA2563da8105fadc673fd961b01d8b196cfaeacfff364d2009d5b60426ef54b9455aa
SHA5126b36c84508c403db58ca6e691e0bb29910d61dec32a2cbb2a06f14b59d4c9a861af064fab0649e5987b7d299cab8f8eafa7ca8ab0fc47fdca968e6815e1c6990
-
Filesize
7KB
MD51c9b9b2d1e325cf8cad8c92bce9fdf66
SHA18d300ee36b1115f0439fb16b8d9a87aa16c84966
SHA256f72798e72cf540624616b9bfe67f0e5c5c161483f4840fcfa24edf032531e102
SHA512fa04eec4c3363dac784f69242c96d11f37dab89de6fca12ec74c1835c8c06005eea292210a3585a8cf882bdfde1958995f6da893966a9b679ea2561ffc79945f
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB