Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-04-2024 21:10

General

  • Target

    Test2.exe

  • Size

    202KB

  • MD5

    c780e7577e6393e3477d90e1fbaafee7

  • SHA1

    060d311acc645042feee43d64f59ba4656a6ce04

  • SHA256

    595ee121f09db84c800fea2180b08ff05908b3fd1eb80d55ef4c9110efe06c40

  • SHA512

    76a623cd79b95093c61dd20f2af4eb5ff99ef17f2b9d9eca35673f687d0fff219fde3f88afff546c6a4059ab2c5b5c60b9d5d63bcd98f927a23209231b9e5782

  • SSDEEP

    6144:gLV6Bta6dtJmakIM57lE4UXkD2rovrO6mlOR:gLV6BtpmkM24ttvr5R

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Test2.exe
    "C:\Users\Admin\AppData\Local\Temp\Test2.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:228
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5080
    • C:\Users\Admin\AppData\Local\Temp\Test2.exe
      "C:\Users\Admin\AppData\Local\Temp\Test2.exe"
      1⤵
        PID:1784
      • C:\Users\Admin\AppData\Local\Temp\Test2.exe
        "C:\Users\Admin\AppData\Local\Temp\Test2.exe"
        1⤵
          PID:4676

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Test2.exe.log

          Filesize

          496B

          MD5

          5b4789d01bb4d7483b71e1a35bce6a8b

          SHA1

          de083f2131c9a763c0d1810c97a38732146cffbf

          SHA256

          e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

          SHA512

          357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

        • memory/228-1-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/228-2-0x0000000000880000-0x0000000000890000-memory.dmp

          Filesize

          64KB

        • memory/228-4-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/228-5-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/228-6-0x0000000000880000-0x0000000000890000-memory.dmp

          Filesize

          64KB

        • memory/228-0-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/1784-7-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/1784-9-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/1784-13-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/1784-8-0x0000000001520000-0x0000000001530000-memory.dmp

          Filesize

          64KB

        • memory/4676-10-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/4676-11-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB

        • memory/4676-15-0x0000000075250000-0x0000000075801000-memory.dmp

          Filesize

          5.7MB