Analysis Overview
SHA256
b1eeeb094d51c8f5f2931b00533cb5a0dfb98cf310ea06580c7967976d215b3b
Threat Level: Known bad
The file 790b9e9961e4b8ca5171d422239e0541 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-27 02:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-27 02:31
Reported
2024-01-27 02:34
Platform
win7-20231215-en
Max time kernel
146s
Max time network
133s
Command Line
Signatures
NanoCore
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2500 set thread context of 2160 | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe
"C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sRwOrsHsaniq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE26.tmp"
C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe
"C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"
C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe
"C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"
Network
| Country | Destination | Domain | Proto |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp |
Files
memory/2500-1-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2500-0-0x0000000000A60000-0x0000000000B6E000-memory.dmp
memory/2500-2-0x0000000004D40000-0x0000000004D80000-memory.dmp
memory/2500-3-0x00000000004E0000-0x00000000004FE000-memory.dmp
memory/2500-4-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2500-5-0x0000000004D40000-0x0000000004D80000-memory.dmp
memory/2500-6-0x0000000005610000-0x00000000056B6000-memory.dmp
memory/2500-7-0x0000000004810000-0x000000000484A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEE26.tmp
| MD5 | 0f2408529a379d4126cc0c6bf4e637cc |
| SHA1 | e5b872e57cdafb8ae664544c37956c8032d97ad5 |
| SHA256 | 4335c2a04042be06de88eacc9a7a8b055d404b20e51444c44e212564cc2b687c |
| SHA512 | 355a2173a3f65ec81b25cab89dd75700defaf1ab794fd405eab3f07ef3b2bc77d61b7ad8863dd79d8387d68846eceeef05d114dbf24e809a2bfe57f8bca4ba2e |
memory/2160-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2160-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2160-27-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2160-25-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2160-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2500-28-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2160-30-0x0000000005010000-0x0000000005050000-memory.dmp
memory/2160-29-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2160-19-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2160-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2160-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2160-33-0x00000000004C0000-0x00000000004DE000-memory.dmp
memory/2160-34-0x00000000004E0000-0x00000000004EA000-memory.dmp
memory/2160-32-0x0000000000470000-0x000000000047A000-memory.dmp
memory/2160-35-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2160-36-0x0000000005010000-0x0000000005050000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-27 02:31
Reported
2024-01-27 02:34
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4288 set thread context of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe
"C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sRwOrsHsaniq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp"
C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe
"C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| NO | 194.5.98.28:3040 | tcp | |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| N/A | 127.0.0.1:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp | |
| NO | 194.5.98.28:3040 | tcp |
Files
memory/4288-0-0x00000000007B0000-0x00000000008BE000-memory.dmp
memory/4288-1-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/4288-2-0x0000000005300000-0x000000000539C000-memory.dmp
memory/4288-3-0x0000000005950000-0x0000000005EF4000-memory.dmp
memory/4288-4-0x00000000053A0000-0x0000000005432000-memory.dmp
memory/4288-5-0x0000000005500000-0x0000000005510000-memory.dmp
memory/4288-7-0x00000000054A0000-0x00000000054F6000-memory.dmp
memory/4288-6-0x00000000052B0000-0x00000000052BA000-memory.dmp
memory/4288-8-0x0000000005450000-0x000000000546E000-memory.dmp
memory/4288-9-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/4288-10-0x0000000005500000-0x0000000005510000-memory.dmp
memory/4288-11-0x00000000062F0000-0x0000000006396000-memory.dmp
memory/4288-12-0x00000000060C0000-0x00000000060FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp
| MD5 | 372fde01a0dc2ff581c862e4070fead0 |
| SHA1 | d869f5af11f96359c8d93e0f41bd6f042a6ad001 |
| SHA256 | 62ca54a873628404b9d6881c03f43511be57dd814ab7c1140bf405a98438523e |
| SHA512 | d5946c4986b12308b4e9e857945ad570bf3d2180dc68886a348d8dbba7c4b0b9886faa6ca6c24023feaefacab1517278f7af15221149375ea76c24927f322b8c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\790b9e9961e4b8ca5171d422239e0541.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/4288-22-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/5088-21-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/5088-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5088-23-0x00000000055E0000-0x00000000055F0000-memory.dmp
memory/5088-27-0x00000000058A0000-0x00000000058AA000-memory.dmp
memory/5088-26-0x0000000005560000-0x000000000557E000-memory.dmp
memory/5088-25-0x0000000005510000-0x000000000551A000-memory.dmp
memory/5088-28-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/5088-29-0x00000000055E0000-0x00000000055F0000-memory.dmp