Analysis

  • max time kernel
    150s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2024, 10:23

General

  • Target

    abb84f7bbcc5585765153cd445c8c07d.exe

  • Size

    1.1MB

  • MD5

    abb84f7bbcc5585765153cd445c8c07d

  • SHA1

    69707e556ebd88aec6414c0c5a481b235ad2eead

  • SHA256

    149e9d049c83abff4843e0fab7f6cde552aef61e32a53d61e76f6c5adc3db25f

  • SHA512

    12752cdde51c29b3fb4afc16405881681f06e3f4abc8b4912c35f366af6d2bc84ae321110a6ee11f1b8d0ab557975c9892ca0977b149c59f24735c0076d33a38

  • SSDEEP

    12288:TGPoV34JStlA/afwCtrduIyCuUy21lbyOuJOmBws5o8pewY3:T0uqipuIySjQes5oSel

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\abb84f7bbcc5585765153cd445c8c07d.exe
    "C:\Users\Admin\AppData\Local\Temp\abb84f7bbcc5585765153cd445c8c07d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe
      "C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe"
      2⤵
      • Executes dropped EXE
      PID:1788
    • C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe
      "C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1408
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAD9C.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe

          Filesize

          533KB

          MD5

          a632a39ffdce2f2de984c6992d188986

          SHA1

          7a1bb8fea06c819b7e575f9ef431af09151837eb

          SHA256

          6800905847788c228e211fd1086dad6a20aa745d1351c0bd43d5f89aa58b1c9e

          SHA512

          a7a6f0bc2448f3222652882893c9b14e21f073dce0dc0509c534bd0e1219a8860278be485a1b41333f7b9dc969431aacd54701f4ca7eb9d615ffdf192452244b

        • C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe

          Filesize

          567KB

          MD5

          8a172477569fd0f1b554ecaa42a59d9d

          SHA1

          58adf1c1f27215d13e280364c15008df293d90fb

          SHA256

          391915fb3b7aa3df83c7d95c0867e3d24ee8906e657344666bbd87ea4e61a82a

          SHA512

          8aae52a6af70795cc938a7ad107bfa2ab383ea2f8f86777ac2084eba0bbac6175bbe432569a8706541122b9dc417748f5fe54e829ddd77be0b7a6b5c26999a85

        • C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp

          Filesize

          1KB

          MD5

          03622b0c91662ec4ada74d25f655232f

          SHA1

          7272a7d3acd8726fa58987ad322fa06ce7a23208

          SHA256

          68a618959190a38c260d20dde35209ed7c8f8ef336c8f6af4abdf416ea2e8b67

          SHA512

          6d6ddb25cf1a0793bcea2ce25e866db318400eef864c1608441c529ab094be604c9e98264219c933a2187ec63abc77124edddeb324744999872d150ce7e73dd2

        • C:\Users\Admin\AppData\Local\Temp\tmpAD9C.tmp

          Filesize

          1KB

          MD5

          a1e72d32044df2250a28d62375b19f15

          SHA1

          f82e0131f1a1fcbf825544cd2cc25e28174c47ee

          SHA256

          b3e2fff6289e337bc83c056904dad620e5edc7f28ac3690ab4900f3ec90df799

          SHA512

          df04c1f421c3d2ed3c928e388aa068be0c3b1bd16348f2692a63c641ec6cd3b103525a8e39298566a395f863fc23a3e29cf2ae50f3e68b5ffba981241587a88b

        • memory/1788-12-0x00007FF6F8150000-0x00007FF6F81F3000-memory.dmp

          Filesize

          652KB

        • memory/3304-37-0x000000001D120000-0x000000001D13A000-memory.dmp

          Filesize

          104KB

        • memory/3304-41-0x000000001D140000-0x000000001D154000-memory.dmp

          Filesize

          80KB

        • memory/3304-21-0x000000001C270000-0x000000001C30C000-memory.dmp

          Filesize

          624KB

        • memory/3304-22-0x000000001C4C0000-0x000000001C566000-memory.dmp

          Filesize

          664KB

        • memory/3304-23-0x00007FF955320000-0x00007FF955CC1000-memory.dmp

          Filesize

          9.6MB

        • memory/3304-24-0x0000000001050000-0x0000000001058000-memory.dmp

          Filesize

          32KB

        • memory/3304-25-0x00007FF955320000-0x00007FF955CC1000-memory.dmp

          Filesize

          9.6MB

        • memory/3304-26-0x0000000001210000-0x0000000001220000-memory.dmp

          Filesize

          64KB

        • memory/3304-18-0x00007FF955320000-0x00007FF955CC1000-memory.dmp

          Filesize

          9.6MB

        • memory/3304-19-0x0000000001210000-0x0000000001220000-memory.dmp

          Filesize

          64KB

        • memory/3304-34-0x000000001C810000-0x000000001C910000-memory.dmp

          Filesize

          1024KB

        • memory/3304-35-0x000000001CDF0000-0x000000001CDFA000-memory.dmp

          Filesize

          40KB

        • memory/3304-36-0x0000000001180000-0x0000000001192000-memory.dmp

          Filesize

          72KB

        • memory/3304-17-0x00007FF955320000-0x00007FF955CC1000-memory.dmp

          Filesize

          9.6MB

        • memory/3304-38-0x000000001C800000-0x000000001C80E000-memory.dmp

          Filesize

          56KB

        • memory/3304-39-0x000000001CD80000-0x000000001CD8E000-memory.dmp

          Filesize

          56KB

        • memory/3304-40-0x000000001D010000-0x000000001D01C000-memory.dmp

          Filesize

          48KB

        • memory/3304-20-0x000000001BDA0000-0x000000001C26E000-memory.dmp

          Filesize

          4.8MB

        • memory/3304-42-0x0000000001040000-0x0000000001050000-memory.dmp

          Filesize

          64KB

        • memory/3304-43-0x00000000013D0000-0x00000000013E4000-memory.dmp

          Filesize

          80KB

        • memory/3304-44-0x0000000000E70000-0x0000000000E7E000-memory.dmp

          Filesize

          56KB

        • memory/3304-45-0x0000000000E80000-0x0000000000E9E000-memory.dmp

          Filesize

          120KB

        • memory/3304-46-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

          Filesize

          40KB

        • memory/3304-47-0x0000000000F20000-0x0000000000F4E000-memory.dmp

          Filesize

          184KB

        • memory/3304-48-0x0000000000F50000-0x0000000000F64000-memory.dmp

          Filesize

          80KB

        • memory/3304-49-0x000000001C810000-0x000000001C910000-memory.dmp

          Filesize

          1024KB

        • memory/3304-50-0x000000001C810000-0x000000001C910000-memory.dmp

          Filesize

          1024KB

        • memory/3304-51-0x0000000001210000-0x0000000001220000-memory.dmp

          Filesize

          64KB

        • memory/3304-52-0x000000001C810000-0x000000001C910000-memory.dmp

          Filesize

          1024KB

        • memory/3304-54-0x000000001DFC0000-0x000000001E022000-memory.dmp

          Filesize

          392KB

        • memory/3304-56-0x000000001C810000-0x000000001C910000-memory.dmp

          Filesize

          1024KB

        • memory/3304-57-0x000000001C810000-0x000000001C910000-memory.dmp

          Filesize

          1024KB

        • memory/3304-58-0x000000001C810000-0x000000001C910000-memory.dmp

          Filesize

          1024KB

        • memory/3304-59-0x000000001C810000-0x000000001C910000-memory.dmp

          Filesize

          1024KB