Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 12:46

General

  • Target

    PDFextractor.exe

  • Size

    705KB

  • MD5

    4a5190c170b6bbc740730372b73b3e3a

  • SHA1

    affb6f1cf65acbcd627416187dac518e5b100f40

  • SHA256

    fcbe2ceaf680fc8f9b379dc41fc3d88887478965321551b385a40dd42c6dd4cc

  • SHA512

    1c3d275adfb85811a4871a2d4b8c6d54bad663bd606700b337c2adda9b35abae16de77d43ef4cfd1064dbd2c39f667404768303cca38cdc3a04a1d01d0b97e8b

  • SSDEEP

    12288:ILV6BtpmkaIteszzut6ugI3PCsOMj7L8pVyN0IolbzYHx/MtGJYXgUowtIp2R1t4:6Apfz4sctjspVm0N1sHxv3Umo1tty

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe
    "C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "NAT Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5861.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4188
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "NAT Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp58C0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5861.tmp

    Filesize

    1KB

    MD5

    7f6c0b45ec5c38500de95eddd09ddac8

    SHA1

    a38c639dd5c13d7f128f8bbae211d5f9ff8bd2f4

    SHA256

    e90517f2caaba84a9999518915f3fd5771f3d38ce60de95bae0a095be652cc5c

    SHA512

    aa93bbf8d3586f923cde1e29b37cec3793b5a40b15f8e2b1d5337e1e4182f3faa23dbb9b8fc01bde4a939826aea5ef8555094926b1de45a4a88f70f5086c188e

  • C:\Users\Admin\AppData\Local\Temp\tmp58C0.tmp

    Filesize

    1KB

    MD5

    cd8e69b89899eb65a199cc8019e502ad

    SHA1

    19ae04c02d02e2828e4513de66734c383660d1a5

    SHA256

    cf1a9b78745b0f788fea2f579f1e3a82efc7425edb1f35abb8dd8e1cbaaf03ef

    SHA512

    9a2bf35fc687ec6ac81ad3fe16f82f104ad880be6b36afc7297264de09d50e85d9d3376ed9378d56b08ef94ca700b886cc40768587fc623c7fb6117265bd7033

  • memory/4072-0-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4072-2-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4072-1-0x0000000000A80000-0x0000000000A90000-memory.dmp

    Filesize

    64KB

  • memory/4072-10-0x0000000000A80000-0x0000000000A90000-memory.dmp

    Filesize

    64KB

  • memory/4072-13-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4072-14-0x0000000000A80000-0x0000000000A90000-memory.dmp

    Filesize

    64KB

  • memory/4072-15-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/4072-16-0x0000000000A80000-0x0000000000A90000-memory.dmp

    Filesize

    64KB