Overview

overview

10

Static

static

10

Compiled.exe

windows7-x64

10

Compiled.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/04/2024, 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Compiled.exe

  • Size

    203KB

  • MD5

    4416fa597c89aafa7300ed07f9cb7d4a

  • SHA1

    7d6e05a6542cc4b3c1dfc3a411f380e99a3b3c7d

  • SHA256

    567db242748a7d46ce499a165b52723c01652d9e274ce52c92543f6c379eec9a

  • SHA512

    5e2fc7cb22644304b86f47847545400fd82e6e4588d733d35db55b230748ac4836aa49d2533bb9d07f37474b6e4a8347065ea63d6af1ae9d83828c8ca15f7203

  • SSDEEP

    6144:sLV6Bta6dtJmakIM5Tc0kTgdXi6Wv7zoE9:sLV6Btpmk0c1cXNYAo

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Compiled.exe
    "C:\Users\Admin\AppData\Local\Temp\Compiled.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp259A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp259A.tmp
    Filesize

    1KB

    MD5

    b739426c34b9d0becdfdc70896340316

    SHA1

    e839421f50c1d50f351d9eaf5fbdc8b0ea05f938

    SHA256

    c318088fc23a3676e142d01c456b11e11bc527568812e51ff2e5f1d5c45538c1

    SHA512

    1734aed913c0a5f66470773a6dcff567c2b15be15788cf4fb4ee0817fb50769cc00ad87a0a9d804d57197ca1a65c40136961d5ee5da490898d5e37411b3f8fe0

    Download Submit

  • memory/1976-0-0x0000000074C20000-0x00000000751CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1976-1-0x0000000074C20000-0x00000000751CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1976-2-0x0000000001DA0000-0x0000000001DE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1976-10-0x0000000074C20000-0x00000000751CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1976-11-0x0000000074C20000-0x00000000751CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1976-12-0x0000000001DA0000-0x0000000001DE0000-memory.dmp

    Filesize

    256KB

    Download