Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 08:01

General

  • Target

    a632a39ffdce2f2de984c6992d188986.exe

  • Size

    533KB

  • MD5

    a632a39ffdce2f2de984c6992d188986

  • SHA1

    7a1bb8fea06c819b7e575f9ef431af09151837eb

  • SHA256

    6800905847788c228e211fd1086dad6a20aa745d1351c0bd43d5f89aa58b1c9e

  • SHA512

    a7a6f0bc2448f3222652882893c9b14e21f073dce0dc0509c534bd0e1219a8860278be485a1b41333f7b9dc969431aacd54701f4ca7eb9d615ffdf192452244b

  • SSDEEP

    12288:HLV6Btpmklh0YDwhTOSq5nyxUnfMgE9Pb/ji7u8LW:rApflh0Ik5vanhI/ku86

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe
    "C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\system32\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C22.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2260
    • C:\Windows\system32\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp86FC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2924

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp7C22.tmp

          Filesize

          1KB

          MD5

          029e60b39959bba895979975e33b96a5

          SHA1

          ebd492c14ffb3733d315adc7378175a4de8d4104

          SHA256

          037de60417e4d3866d82505a021651fd8101ad0c4270e86a1cc3c272dde08196

          SHA512

          8977daaa0da4713c3802562402731d201c063385cd86728e81528a4b419f8a8302f6408e53906b69ebace2fc83b5567c2a6b6cf25958b3f73db3874909ef82bd

        • C:\Users\Admin\AppData\Local\Temp\tmp86FC.tmp

          Filesize

          1KB

          MD5

          5ed3301e36e3359905df2c1d8fee55f9

          SHA1

          87f3dd865a35a183a95b70670837aff59acab4c1

          SHA256

          b6b1ccf23addd989edab37c3c63997814126559be20653e5b219bfcb0afef0f8

          SHA512

          5b2eaa5ad2f0cedb509b459407e0260bee6760cca7ca04f62afad6d5b2ae7dbdd19a443012e7d71476f5f6433a72d6c4b111580b7b592010c1e966155cd828a4

        • memory/2456-17-0x0000000002360000-0x000000000236E000-memory.dmp

          Filesize

          56KB

        • memory/2456-13-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

          Filesize

          40KB

        • memory/2456-2-0x00000000020B0000-0x0000000002130000-memory.dmp

          Filesize

          512KB

        • memory/2456-1-0x00000000020B0000-0x0000000002130000-memory.dmp

          Filesize

          512KB

        • memory/2456-11-0x00000000020B0000-0x0000000002130000-memory.dmp

          Filesize

          512KB

        • memory/2456-12-0x00000000020B0000-0x0000000002130000-memory.dmp

          Filesize

          512KB

        • memory/2456-18-0x0000000002370000-0x000000000237C000-memory.dmp

          Filesize

          48KB

        • memory/2456-14-0x0000000000250000-0x0000000000262000-memory.dmp

          Filesize

          72KB

        • memory/2456-15-0x0000000002340000-0x000000000235A000-memory.dmp

          Filesize

          104KB

        • memory/2456-16-0x0000000000660000-0x000000000066E000-memory.dmp

          Filesize

          56KB

        • memory/2456-3-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

          Filesize

          9.6MB

        • memory/2456-0-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

          Filesize

          9.6MB

        • memory/2456-23-0x000000001AF40000-0x000000001AF5E000-memory.dmp

          Filesize

          120KB

        • memory/2456-20-0x0000000002390000-0x00000000023A0000-memory.dmp

          Filesize

          64KB

        • memory/2456-21-0x00000000023A0000-0x00000000023B4000-memory.dmp

          Filesize

          80KB

        • memory/2456-22-0x000000001AF30000-0x000000001AF3E000-memory.dmp

          Filesize

          56KB

        • memory/2456-19-0x0000000002380000-0x0000000002394000-memory.dmp

          Filesize

          80KB

        • memory/2456-24-0x0000000000A90000-0x0000000000A9A000-memory.dmp

          Filesize

          40KB

        • memory/2456-25-0x000000001AF60000-0x000000001AF8E000-memory.dmp

          Filesize

          184KB

        • memory/2456-27-0x000000001BAB0000-0x000000001BBB0000-memory.dmp

          Filesize

          1024KB

        • memory/2456-26-0x000000001AF90000-0x000000001AFA4000-memory.dmp

          Filesize

          80KB

        • memory/2456-28-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

          Filesize

          9.6MB

        • memory/2456-29-0x00000000020B0000-0x0000000002130000-memory.dmp

          Filesize

          512KB

        • memory/2456-30-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

          Filesize

          9.6MB