Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 01:01

General

  • Target

    4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe

  • Size

    203KB

  • MD5

    07d9144c3b3cfe44c24f850a74faaacc

  • SHA1

    1df82c6dbe192d9f78e137bb96c499fd5f0c93a5

  • SHA256

    4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0

  • SHA512

    39120f944f46dfa34f0d4a2e59a9bdb74a76d9f69b55c054969a96666b0366651bcc2a0ab4a48f3243a2046e961f43fba5e13d5b04248eeae0f86b7428133584

  • SSDEEP

    6144:sLV6Bta6dtJmakIM51O3JM1fMKQqa7FPp0k4v:sLV6BtpmkBGpC78v

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
    "C:\Users\Admin\AppData\Local\Temp\4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6FF0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3020
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp704F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6FF0.tmp

    Filesize

    1KB

    MD5

    9913e267519b245bd05576cd155e618b

    SHA1

    f9988cc21222e156d8df51cc1c67ff394e0baa9a

    SHA256

    db8d12fa91ed89d361af77401bd08785c5b7d538627fe2591c69ad675daee81d

    SHA512

    fec48c5fec8a03bc55ff319580a512fcbe476d309cfb4dc8563f3cf5266a68418b8a200a2e6f0fb1131c936f6a9d79cdb0ba72e6f225c36921c6188021acd882

  • C:\Users\Admin\AppData\Local\Temp\tmp704F.tmp

    Filesize

    1KB

    MD5

    bbb0d424bb7cb3b0e6aeb68cf82b8f5f

    SHA1

    7e95dcd21a27ee53e5c23ed5a163df56a43d572a

    SHA256

    08d6bee474edf0151a0d8ff942ba9e6a1efe069585c63477abd1c7bd8046e130

    SHA512

    0dc790a415f9717f6e7633c1d5f2749a2eca5582c5bbe114119c3ddba6d4e4d0df48029622e2fe07f94d8ae97c334b88691b7721da50ada261449769ae31d466

  • memory/4984-0-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

  • memory/4984-1-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

    Filesize

    64KB

  • memory/4984-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

  • memory/4984-10-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

    Filesize

    64KB

  • memory/4984-11-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

  • memory/4984-12-0x0000000074DB0000-0x0000000075361000-memory.dmp

    Filesize

    5.7MB

  • memory/4984-13-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

    Filesize

    64KB