Analysis Overview
SHA256
6800905847788c228e211fd1086dad6a20aa745d1351c0bd43d5f89aa58b1c9e
Threat Level: Known bad
The file a632a39ffdce2f2de984c6992d188986.exe was found to be: Known bad.
Malicious Activity Summary
Nanocore family
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-06 08:01
Signatures
Nanocore family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-06 08:01
Reported
2024-01-06 08:03
Platform
win7-20231215-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files\\LAN Monitor\\lanmon.exe" | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\LAN Monitor\lanmon.exe | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| File opened for modification | C:\Program Files\LAN Monitor\lanmon.exe | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\system32\schtasks.exe |
| PID 2456 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\system32\schtasks.exe |
| PID 2456 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\system32\schtasks.exe |
| PID 2456 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\system32\schtasks.exe |
| PID 2456 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\system32\schtasks.exe |
| PID 2456 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe
"C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C22.tmp"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp86FC.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | yourself-catholic.gl.at.ply.gg | udp |
| US | 147.185.221.17:56274 | yourself-catholic.gl.at.ply.gg | tcp |
Files
memory/2456-0-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp
memory/2456-1-0x00000000020B0000-0x0000000002130000-memory.dmp
memory/2456-2-0x00000000020B0000-0x0000000002130000-memory.dmp
memory/2456-3-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7C22.tmp
| MD5 | 029e60b39959bba895979975e33b96a5 |
| SHA1 | ebd492c14ffb3733d315adc7378175a4de8d4104 |
| SHA256 | 037de60417e4d3866d82505a021651fd8101ad0c4270e86a1cc3c272dde08196 |
| SHA512 | 8977daaa0da4713c3802562402731d201c063385cd86728e81528a4b419f8a8302f6408e53906b69ebace2fc83b5567c2a6b6cf25958b3f73db3874909ef82bd |
C:\Users\Admin\AppData\Local\Temp\tmp86FC.tmp
| MD5 | 5ed3301e36e3359905df2c1d8fee55f9 |
| SHA1 | 87f3dd865a35a183a95b70670837aff59acab4c1 |
| SHA256 | b6b1ccf23addd989edab37c3c63997814126559be20653e5b219bfcb0afef0f8 |
| SHA512 | 5b2eaa5ad2f0cedb509b459407e0260bee6760cca7ca04f62afad6d5b2ae7dbdd19a443012e7d71476f5f6433a72d6c4b111580b7b592010c1e966155cd828a4 |
memory/2456-11-0x00000000020B0000-0x0000000002130000-memory.dmp
memory/2456-12-0x00000000020B0000-0x0000000002130000-memory.dmp
memory/2456-13-0x0000000000AB0000-0x0000000000ABA000-memory.dmp
memory/2456-14-0x0000000000250000-0x0000000000262000-memory.dmp
memory/2456-15-0x0000000002340000-0x000000000235A000-memory.dmp
memory/2456-16-0x0000000000660000-0x000000000066E000-memory.dmp
memory/2456-17-0x0000000002360000-0x000000000236E000-memory.dmp
memory/2456-18-0x0000000002370000-0x000000000237C000-memory.dmp
memory/2456-19-0x0000000002380000-0x0000000002394000-memory.dmp
memory/2456-20-0x0000000002390000-0x00000000023A0000-memory.dmp
memory/2456-21-0x00000000023A0000-0x00000000023B4000-memory.dmp
memory/2456-22-0x000000001AF30000-0x000000001AF3E000-memory.dmp
memory/2456-23-0x000000001AF40000-0x000000001AF5E000-memory.dmp
memory/2456-24-0x0000000000A90000-0x0000000000A9A000-memory.dmp
memory/2456-25-0x000000001AF60000-0x000000001AF8E000-memory.dmp
memory/2456-27-0x000000001BAB0000-0x000000001BBB0000-memory.dmp
memory/2456-26-0x000000001AF90000-0x000000001AFA4000-memory.dmp
memory/2456-28-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp
memory/2456-29-0x00000000020B0000-0x0000000002130000-memory.dmp
memory/2456-30-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-06 08:01
Reported
2024-01-06 08:04
Platform
win10v2004-20231215-en
Max time kernel
157s
Max time network
177s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files\\DHCP Service\\dhcpsvc.exe" | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\DHCP Service\dhcpsvc.exe | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| File opened for modification | C:\Program Files\DHCP Service\dhcpsvc.exe | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 324 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 324 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 324 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 324 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe
"C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp45F3.tmp"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp60FE.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
Files
memory/324-0-0x00007FFC8D7D0000-0x00007FFC8E171000-memory.dmp
memory/324-1-0x00007FFC8D7D0000-0x00007FFC8E171000-memory.dmp
memory/324-2-0x0000000000AD0000-0x0000000000AE0000-memory.dmp
memory/324-3-0x00007FFC8D7D0000-0x00007FFC8E171000-memory.dmp
memory/324-4-0x000000001B690000-0x000000001BB5E000-memory.dmp
memory/324-5-0x00007FFC8D7D0000-0x00007FFC8E171000-memory.dmp
memory/324-6-0x0000000000AD0000-0x0000000000AE0000-memory.dmp
memory/324-7-0x0000000000AE0000-0x0000000000B7C000-memory.dmp
memory/324-8-0x000000001BD10000-0x000000001BDB6000-memory.dmp
memory/324-9-0x0000000000810000-0x0000000000818000-memory.dmp
memory/324-10-0x0000000000AD0000-0x0000000000AE0000-memory.dmp
memory/324-13-0x0000000000AD0000-0x0000000000AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp45F3.tmp
| MD5 | 029e60b39959bba895979975e33b96a5 |
| SHA1 | ebd492c14ffb3733d315adc7378175a4de8d4104 |
| SHA256 | 037de60417e4d3866d82505a021651fd8101ad0c4270e86a1cc3c272dde08196 |
| SHA512 | 8977daaa0da4713c3802562402731d201c063385cd86728e81528a4b419f8a8302f6408e53906b69ebace2fc83b5567c2a6b6cf25958b3f73db3874909ef82bd |
C:\Users\Admin\AppData\Local\Temp\tmp60FE.tmp
| MD5 | a1e72d32044df2250a28d62375b19f15 |
| SHA1 | f82e0131f1a1fcbf825544cd2cc25e28174c47ee |
| SHA256 | b3e2fff6289e337bc83c056904dad620e5edc7f28ac3690ab4900f3ec90df799 |
| SHA512 | df04c1f421c3d2ed3c928e388aa068be0c3b1bd16348f2692a63c641ec6cd3b103525a8e39298566a395f863fc23a3e29cf2ae50f3e68b5ffba981241587a88b |
memory/324-19-0x000000001C1B0000-0x000000001C2B0000-memory.dmp
memory/324-20-0x0000000000CE0000-0x0000000000CEA000-memory.dmp
memory/324-21-0x00000000008E0000-0x00000000008F2000-memory.dmp
memory/324-22-0x000000001CB10000-0x000000001CB2A000-memory.dmp
memory/324-23-0x0000000000BD0000-0x0000000000BDE000-memory.dmp
memory/324-24-0x000000001CB30000-0x000000001CB3E000-memory.dmp
memory/324-25-0x000000001CB40000-0x000000001CB4C000-memory.dmp
memory/324-26-0x000000001CB50000-0x000000001CB64000-memory.dmp
memory/324-27-0x00000000007F0000-0x0000000000800000-memory.dmp
memory/324-28-0x00000000008A0000-0x00000000008B4000-memory.dmp
memory/324-29-0x00000000008C0000-0x00000000008CE000-memory.dmp
memory/324-30-0x000000001CB60000-0x000000001CB7E000-memory.dmp