Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
30-04-2024 13:42
General
-
Target
MW2 FOV Changer.exe
-
Size
15.2MB
-
MD5
57d5a31aa74a02a1c155aaa618c290c1
-
SHA1
9dd86085bc7f7497d8b437de5da8db54e8703ace
-
SHA256
af917a63e27ea18999a8f1feb4e7fa60955f21dd3c8fac6a4d9c5bb34f4d2ca1
-
SHA512
c46bfd6e3877812bad8456e6d13c36db4f69d8e6798d47a41aa24bb3f16229deef2e852b9956ab745ae1acdbcf1a4b610e7b652ab16902f0efe8f4988c4559f3
-
SSDEEP
24576:tvoagpQjczZKdUt5TKX+aW1dMG0m6jYg1CZbBJT0n:5TaQgZ2GbMGf4CZDIn
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 9 IoCs
-
Executes dropped EXE 29 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 8 IoCs
-
Enumerates processes with tasklist 1 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MW2 FOV Changer.exe"C:\Users\Admin\AppData\Local\Temp\MW2 FOV Changer.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SystemHosts.exe"C:\Users\Admin\AppData\Local\Temp\SystemHosts.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq .exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i ".exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq .exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i ".exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq .exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i ".exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq .exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i ".exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq .exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i ".exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq .exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i ".exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq .exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i ".exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq .exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i ".exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exeC:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WMIHost\WMIhook.exe.lnk " /f5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3E61.tmp"3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD540b0c3caa1b14a4c83e8475c46bf2016
SHA1af9575cda4d842f028d18b17063796a894ecd9d0
SHA25670e88a428d92b6ab5905dac9f324824c4c6f120bc3f385c82b2d12f707a4a867
SHA512916437df737de4b6063b7116b4d148229d4a975eb4046122d47434b81fba06e88e09e5f273ec496c81ef3feecb843ccad20a7a04074224416c1fa9951acbdac7
-
Filesize
319B
MD5824ba7b7eed8b900a98dd25129c4cd83
SHA154478770b2158000ef365591d42977cb854453a1
SHA256d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03
SHA512ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e
-
Filesize
6.7MB
MD5ffbb57869e7c843b9cbf902b18a7a94e
SHA134feee7ae338d055b7176a49baa8e23165f2352f
SHA256d3ceef6f206fd2c0b1768f6767da1accfb2c2870512569169fe4706e56b75736
SHA5120fa8b38a7e82964a054c8f56911e6276d50921c3659120b8275e5cfd55fc69644beb6a45f29423a14c26f8b7c39141dcbf25a6aac88de2b5f3ee93a2e8c705eb
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
Filesize
1KB
MD524de2170a8dce23ab327cf07c00cd17e
SHA1c759a98d8447e9674d0707da64cd97204720c0ae
SHA256fa98fbb5ddd9fcbcdc76196d8dc524602815d90d244eb43f7f983a829b7d3b3d
SHA51283ea8711513efbd1a4045b27fcd916cab7c9b6ab3e519500db114287b8a42103f44142e1c350f1f7a0bb76d291bfc838834d423338a23a30ff2f15066ff87d2b
-
Filesize
908B
MD5d7c288d9bacec13a0897d6d14df31b30
SHA12bfbac17932b3eadecb10118590f245ae653d226
SHA256b9b922decdb6ce43dcba3ec599041e9960a8656496425a27afd219f94ffc306b
SHA512bf43ec2413123660c97edb5db0873334a7c9de84936c4bf20cd5305d13c87c28991f42c5ce89cd66ce4e2b243c68a153287baa92fcf8e22bd7e24696e8eff7ad
-
Filesize
190B
MD57940fc58219887a93fd5ec25cb249429
SHA186a8f8971dcfb9d6411bf0376a68ff11f1cf5272
SHA256a4bb7d456f665ce87b608df3ad11c684d231553a511ef0050b197c1dc632b1db
SHA5120adcaf63ec2920082b9ff81ab992aad6c80f9498ada61b88b6fbcef26b667ca6ebb9414354bc7faeaecb0d3c0d5a21313a8e94ca9b440327be68289128d573cb
-
Filesize
100B
MD52aa15a8028ab63147ea2c88ced182f8c
SHA1ed98166113b2952ff5d61fb2211f6d20d1c39e1d
SHA25628cb990a5b7789117a735e842c8a6345ff20e4c2662ec4ae6d664d759bf6dfe1
SHA512f3a13023ab0f06e0abb398d0dec2638ff12d180ad816d23fda257fba091cb347ca174c4c4f0bc6f193bb838c29bae64ad662389c313e07f1fec33a30b5435e64
-
Filesize
349KB
MD54a00f1474bf08339715d1fbc3c7d72b0
SHA192459a6ac28efe4b6ef89e73de1de29ae3d59ce0
SHA256f6b061ab8081596317876f9c7b776cb6466e0c2a19398c31d1a83741d2f94b6c
SHA5124f46d7d00065d1a16ad3db88a6633f0665f2a4fda6041d657b2ea5dfc634d58947e44c3e0957fca30f3e4c473100e28cd77d60e8eea73a1f9a16c3a110b68266
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
376KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB