Analysis

  • max time kernel
    118s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2024, 12:46

General

  • Target

    PDFextractor.exe

  • Size

    705KB

  • MD5

    4a5190c170b6bbc740730372b73b3e3a

  • SHA1

    affb6f1cf65acbcd627416187dac518e5b100f40

  • SHA256

    fcbe2ceaf680fc8f9b379dc41fc3d88887478965321551b385a40dd42c6dd4cc

  • SHA512

    1c3d275adfb85811a4871a2d4b8c6d54bad663bd606700b337c2adda9b35abae16de77d43ef4cfd1064dbd2c39f667404768303cca38cdc3a04a1d01d0b97e8b

  • SSDEEP

    12288:ILV6BtpmkaIteszzut6ugI3PCsOMj7L8pVyN0IolbzYHx/MtGJYXgUowtIp2R1t4:6Apfz4sctjspVm0N1sHxv3Umo1tty

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe
    "C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2716
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5CC1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp

    Filesize

    1KB

    MD5

    7f6c0b45ec5c38500de95eddd09ddac8

    SHA1

    a38c639dd5c13d7f128f8bbae211d5f9ff8bd2f4

    SHA256

    e90517f2caaba84a9999518915f3fd5771f3d38ce60de95bae0a095be652cc5c

    SHA512

    aa93bbf8d3586f923cde1e29b37cec3793b5a40b15f8e2b1d5337e1e4182f3faa23dbb9b8fc01bde4a939826aea5ef8555094926b1de45a4a88f70f5086c188e

  • C:\Users\Admin\AppData\Local\Temp\tmp5CC1.tmp

    Filesize

    1KB

    MD5

    a4f6fa4537e2dcf0d3e2802c0f070a4d

    SHA1

    03545095bfeddd7656b5b8547ab84a810324a94f

    SHA256

    192ac26e1895b267149bde35c55327f4a441693495239da5899062924d45bd11

    SHA512

    a4293123d718b0511a8301a7f536e403cecf8bc89f25f9dc4692b293eb8a554a8eb67993a26fe0e96792b6eb3573b34e9b270777cafe95c2383268da6d40fd2e

  • memory/2192-0-0x00000000747F0000-0x0000000074D9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2192-2-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

  • memory/2192-1-0x00000000747F0000-0x0000000074D9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2192-12-0x00000000747F0000-0x0000000074D9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2192-13-0x00000000747F0000-0x0000000074D9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2192-14-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB