Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-04-2024 14:38

General

  • Target

    Compiled.exe

  • Size

    203KB

  • MD5

    4416fa597c89aafa7300ed07f9cb7d4a

  • SHA1

    7d6e05a6542cc4b3c1dfc3a411f380e99a3b3c7d

  • SHA256

    567db242748a7d46ce499a165b52723c01652d9e274ce52c92543f6c379eec9a

  • SHA512

    5e2fc7cb22644304b86f47847545400fd82e6e4588d733d35db55b230748ac4836aa49d2533bb9d07f37474b6e4a8347065ea63d6af1ae9d83828c8ca15f7203

  • SSDEEP

    6144:sLV6Bta6dtJmakIM5Tc0kTgdXi6Wv7zoE9:sLV6Btpmk0c1cXNYAo

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Compiled.exe
    "C:\Users\Admin\AppData\Local\Temp\Compiled.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6002.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6002.tmp

    Filesize

    1KB

    MD5

    b739426c34b9d0becdfdc70896340316

    SHA1

    e839421f50c1d50f351d9eaf5fbdc8b0ea05f938

    SHA256

    c318088fc23a3676e142d01c456b11e11bc527568812e51ff2e5f1d5c45538c1

    SHA512

    1734aed913c0a5f66470773a6dcff567c2b15be15788cf4fb4ee0817fb50769cc00ad87a0a9d804d57197ca1a65c40136961d5ee5da490898d5e37411b3f8fe0

  • memory/4356-0-0x0000000075060000-0x0000000075611000-memory.dmp

    Filesize

    5.7MB

  • memory/4356-1-0x0000000075060000-0x0000000075611000-memory.dmp

    Filesize

    5.7MB

  • memory/4356-2-0x0000000000FF0000-0x0000000001000000-memory.dmp

    Filesize

    64KB

  • memory/4356-7-0x0000000000FF0000-0x0000000001000000-memory.dmp

    Filesize

    64KB

  • memory/4356-11-0x0000000075060000-0x0000000075611000-memory.dmp

    Filesize

    5.7MB

  • memory/4356-12-0x0000000075060000-0x0000000075611000-memory.dmp

    Filesize

    5.7MB

  • memory/4356-13-0x0000000000FF0000-0x0000000001000000-memory.dmp

    Filesize

    64KB

  • memory/4356-14-0x0000000000FF0000-0x0000000001000000-memory.dmp

    Filesize

    64KB