Analysis

  • max time kernel
    120s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2024, 20:32

General

  • Target

    tmp.exe

  • Size

    210KB

  • MD5

    f598543eb3fca36826b95c8934c18440

  • SHA1

    d01513a81db37519eaae0faa8e54ee194d73103c

  • SHA256

    1b0f0f68bba4c25b14187378bebf8db9dce85ec634e7375b53a287ad2dc12ea2

  • SHA512

    dd971a469879b3c2b7c8b8f2edeca47ef9a0f6f12e788f3a3958f924b7f7442372ec8392e057489f32f12d35c456a8888e677d1995c0f1f68fd1272ed97dfe5a

  • SSDEEP

    6144:gLV6Bta6dtJmakIM5c/C++adghMiGFajp8:gLV6Btpmk7/Csdghbsn

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7A5E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2736
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C62.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7A5E.tmp

    Filesize

    1KB

    MD5

    3f4dcafa44c36f23e4db2b2315fd09da

    SHA1

    8c83089d6f6c887a77af9b42ca09969f3b2f83f6

    SHA256

    b8475eb97200b8a15eaf07e0a2cddc5c95e5bc3e7a98685364c9796480de57dc

    SHA512

    e0624dd6cf0d5e014e96a323d2f7ebe13b683af71bd6ddafa3005cdc2f3c764cfca509262d442fc844b4b390d241ccf3eb36d30043d3d6f6e955a2ee9f792678

  • C:\Users\Admin\AppData\Local\Temp\tmp7C62.tmp

    Filesize

    1KB

    MD5

    ecf141ec69adbb2a5c3dd5c85cd0ec39

    SHA1

    0ad224632fa58d103142c05c44a142f3d7208291

    SHA256

    64d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316

    SHA512

    4821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201

  • memory/2884-0-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2884-2-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

    Filesize

    256KB

  • memory/2884-1-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2884-13-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2884-14-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2884-15-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

    Filesize

    256KB