Analysis Overview
SHA256
9598d353175682d82d7bbe9eca3d48c97552db2718e77007601f80541b7c8afb
Threat Level: Known bad
The file quotation.scr.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Uses the VBS compiler for execution
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 11:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 11:34
Reported
2024-01-26 11:37
Platform
win7-20231215-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2468 set thread context of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 2244 set thread context of 2512 | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe
"C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\system32\taskeng.exe
taskeng.exe {8FF7CFF9-8918-4A13-A59A-144AD3A69973} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
Files
memory/2468-0-0x00000000013D0000-0x0000000001420000-memory.dmp
memory/2468-1-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2468-2-0x0000000000D70000-0x0000000000DB0000-memory.dmp
memory/2468-3-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2468-4-0x0000000000D70000-0x0000000000DB0000-memory.dmp
memory/2900-5-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/2900-6-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/2900-7-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/2900-8-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/2900-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2900-11-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/2900-10-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/2900-18-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/2900-15-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/2468-20-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2900-19-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2900-22-0x0000000000800000-0x0000000000840000-memory.dmp
memory/2900-25-0x0000000000860000-0x000000000086A000-memory.dmp
memory/2900-26-0x0000000002120000-0x000000000213E000-memory.dmp
memory/2900-27-0x0000000000870000-0x000000000087A000-memory.dmp
memory/2900-30-0x0000000002260000-0x0000000002272000-memory.dmp
memory/2900-31-0x00000000022B0000-0x00000000022CA000-memory.dmp
memory/2900-32-0x00000000023E0000-0x00000000023EE000-memory.dmp
memory/2900-33-0x00000000044C0000-0x00000000044D2000-memory.dmp
memory/2900-34-0x00000000044D0000-0x00000000044DC000-memory.dmp
memory/2900-35-0x00000000044E0000-0x00000000044EE000-memory.dmp
memory/2900-36-0x00000000045F0000-0x0000000004604000-memory.dmp
memory/2900-37-0x0000000004600000-0x0000000004610000-memory.dmp
memory/2900-38-0x0000000004AC0000-0x0000000004AD4000-memory.dmp
memory/2900-39-0x0000000004AD0000-0x0000000004ADE000-memory.dmp
memory/2900-40-0x0000000004F10000-0x0000000004F3E000-memory.dmp
memory/2900-41-0x0000000004F40000-0x0000000004F54000-memory.dmp
memory/2900-43-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2900-44-0x0000000000800000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | 38699281db788537bea1ce577eb81ea9 |
| SHA1 | 39e11046b7c615a047875ca3a0eafd20d583d693 |
| SHA256 | 9598d353175682d82d7bbe9eca3d48c97552db2718e77007601f80541b7c8afb |
| SHA512 | fd33f696fc92ed4d496088715dbc82ca7c67e3049b1855ca56c3576381677274cdd1d437ea98cb3774c5bef0106a2dbc984c97b8c680d243cee104c042357c3f |
memory/2244-47-0x00000000010F0000-0x0000000001140000-memory.dmp
memory/2244-48-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2244-49-0x0000000004710000-0x0000000004750000-memory.dmp
memory/2244-50-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2244-51-0x0000000004710000-0x0000000004750000-memory.dmp
memory/2512-58-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2512-64-0x0000000000080000-0x00000000000B8000-memory.dmp
memory/2512-60-0x0000000000080000-0x00000000000B8000-memory.dmp
memory/2244-68-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2512-67-0x0000000000080000-0x00000000000B8000-memory.dmp
memory/2512-70-0x00000000050C0000-0x0000000005100000-memory.dmp
memory/2512-69-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2512-71-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/852-73-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/852-74-0x00000000749E0000-0x00000000750CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 11:34
Reported
2024-01-26 11:37
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3828 set thread context of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 3312 set thread context of 4572 | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe
"C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\quotation.scr.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\explorer"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | 242.242.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 91.92.242.242:6051 | harold.jetos.com | tcp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
memory/3828-0-0x0000000000510000-0x0000000000560000-memory.dmp
memory/3828-1-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/3828-2-0x0000000004D40000-0x0000000004D50000-memory.dmp
memory/3828-3-0x0000000005300000-0x00000000058A4000-memory.dmp
memory/3828-4-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/3828-5-0x0000000005080000-0x00000000050E6000-memory.dmp
memory/1820-6-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3828-8-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/1820-9-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/1820-10-0x0000000005070000-0x0000000005102000-memory.dmp
memory/1820-13-0x00000000051B0000-0x000000000524C000-memory.dmp
memory/1820-14-0x0000000005410000-0x0000000005420000-memory.dmp
memory/1820-15-0x0000000005110000-0x000000000511A000-memory.dmp
memory/1820-17-0x0000000005190000-0x000000000519A000-memory.dmp
memory/1820-18-0x0000000005E00000-0x0000000005E1E000-memory.dmp
memory/1820-20-0x0000000005410000-0x0000000005420000-memory.dmp
memory/1820-19-0x0000000006040000-0x000000000604A000-memory.dmp
memory/1820-21-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/1820-22-0x0000000005410000-0x0000000005420000-memory.dmp
memory/1820-23-0x0000000005410000-0x0000000005420000-memory.dmp
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | 38699281db788537bea1ce577eb81ea9 |
| SHA1 | 39e11046b7c615a047875ca3a0eafd20d583d693 |
| SHA256 | 9598d353175682d82d7bbe9eca3d48c97552db2718e77007601f80541b7c8afb |
| SHA512 | fd33f696fc92ed4d496088715dbc82ca7c67e3049b1855ca56c3576381677274cdd1d437ea98cb3774c5bef0106a2dbc984c97b8c680d243cee104c042357c3f |
memory/3312-26-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/3312-27-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/3312-28-0x0000000004EF0000-0x0000000004F00000-memory.dmp
memory/4572-31-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/3312-32-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4572-33-0x0000000005260000-0x0000000005270000-memory.dmp
memory/4572-35-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/1820-38-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
memory/1820-39-0x0000000000EB0000-0x0000000000ECA000-memory.dmp
memory/1820-40-0x0000000000FA0000-0x0000000000FAE000-memory.dmp
memory/1820-41-0x0000000000FB0000-0x0000000000FC2000-memory.dmp
memory/1820-42-0x0000000000FC0000-0x0000000000FCC000-memory.dmp
memory/1820-43-0x0000000000FD0000-0x0000000000FDE000-memory.dmp
memory/1820-44-0x0000000000FE0000-0x0000000000FF4000-memory.dmp
memory/1820-45-0x0000000000FF0000-0x0000000001000000-memory.dmp
memory/1820-46-0x0000000001010000-0x0000000001024000-memory.dmp
memory/1820-47-0x0000000001030000-0x000000000103E000-memory.dmp
memory/1820-48-0x0000000001040000-0x000000000106E000-memory.dmp
memory/1820-49-0x0000000001080000-0x0000000001094000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorer.exe.log
| MD5 | 81ab0e59097e03cb04c32378024d6628 |
| SHA1 | cc2a7a335f905e787906b6a0820acfbd4c5d0ed2 |
| SHA256 | 704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533 |
| SHA512 | 3dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb |
memory/4980-53-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4980-54-0x0000000001640000-0x0000000001650000-memory.dmp
memory/4980-55-0x00000000748C0000-0x0000000075070000-memory.dmp