Analysis
-
max time kernel
24s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 14:17
Behavioral task
behavioral1
Sample
RAT NUKER.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
RAT NUKER.exe
-
Size
4.8MB
-
MD5
08a2be2852091cf452b7e596f87f91f9
-
SHA1
567ba316f5a6745d523d86c328b8ce5e97949fdc
-
SHA256
efafe40607d679a1a22c99d903e484cac933e9e972e7a1907023bd2342a38081
-
SHA512
6a61ba5cc5749a6c2a922344f0b62651bc57c15dae9c9a98f8b7830656f21eed8e388d67604b206938bace2183238a7e58d1deb196174b7fd0a7d782974946e3
-
SSDEEP
98304:UsRKcIJMICcuo0Gdgu97iaRt8rAsFbwV9WqQmST/+s0y6mhlIuK:UsocIJ6cuu9uIXr4nhCv
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3032 taskmgr.exe Token: SeSystemProfilePrivilege 3032 taskmgr.exe Token: SeCreateGlobalPrivilege 3032 taskmgr.exe Token: 33 3032 taskmgr.exe Token: SeIncBasePriorityPrivilege 3032 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe 3032 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RAT NUKER.exe"C:\Users\Admin\AppData\Local\Temp\RAT NUKER.exe"1⤵PID:3528
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3032