Analysis

  • max time kernel
    56s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 17:22

General

  • Target

    godhuntermode.exe

  • Size

    203KB

  • MD5

    fa27771b02f19cbd8ffca1099538858a

  • SHA1

    ae591814aa4b40bc0ecf87a50d0fc1df9d16c7a7

  • SHA256

    26fa94e684087b55f0d0ae839904aba0de3d6bd7f8fc2d19ddea18e6f66b8396

  • SHA512

    c985071e77314a5a3687a522fff337c3ee4b08d228b999694a6f5dbeaadd8b03f717b4c5c50526cb45cff319aaf666a7ddae63f402ed023e8246865750d821c8

  • SSDEEP

    6144:OLV6Bta6dtJmakIM5GO3JM1fMKQqa7FPp0k4n:OLV6BtpmkWGpC78n

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe
    "C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4B61.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:848
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4BA0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1036
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede40b07-40e0-408d-9f53-144479691608} 836 "\\.\pipe\gecko-crash-server-pipe.836" gpu
        3⤵
          PID:4768
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {244c8de1-d88f-4cd3-ae5b-c7217648d067} 836 "\\.\pipe\gecko-crash-server-pipe.836" socket
          3⤵
          • Checks processor information in registry
          PID:3376
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 1604 -prefMapHandle 1532 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12b251f0-4aab-43a4-8f20-34e0c76d8b6e} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab
          3⤵
            PID:1020
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12089586-7a26-47d9-8ff4-f3123a068d11} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab
            3⤵
              PID:1316
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4884 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {729173ef-f48c-472b-936d-11cbf733140a} 836 "\\.\pipe\gecko-crash-server-pipe.836" utility
              3⤵
              • Checks processor information in registry
              PID:5604
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5212 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0b93b1b-1b82-40c8-8996-28694003f09e} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab
              3⤵
                PID:5924
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5268 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {250cd809-fba5-4995-b7c1-fabf896e7d2b} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab
                3⤵
                  PID:5936
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5148 -prefMapHandle 5168 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7210ec9a-46d4-4169-b486-72d3e6cb3f0b} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab
                  3⤵
                    PID:5948

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\l594d31n.default-release\activity-stream.discovery_stream.json

                Filesize

                20KB

                MD5

                f4e69877176badff102f6f14849c202f

                SHA1

                1eceddee27d2321e57ea412475746bf2b491d6d1

                SHA256

                2b682d5c1608fb24939d169a48138829366a549cdd89b4e0f226cc0f82747e76

                SHA512

                03f042f40c212cbb101466ce4ae0ba471f4ec823f5009f6be0d18b6a50d5ada5672837ba784f1972b2376c0a47efd1cd7149ab33cb3efe79dd280146a7fd2374

              • C:\Users\Admin\AppData\Local\Temp\tmp4B61.tmp

                Filesize

                1KB

                MD5

                f5d30efce4b1aee5eae396d83a3ba12b

                SHA1

                c710a5815e1431398a03edf703dce91328e06b56

                SHA256

                3c7dd02a58748453a8f136ba495fbbfebd4d00ff283c0ebf9bc4db32e1d9a948

                SHA512

                d04000a54938a075c4228ac2c50b4c2389546b953b806cbc6425072ab1cbd79f3ce13b27def1fe15e9fd2e81d06d1d650a3aedd2e0286ad4a445e25a6308bb7b

              • C:\Users\Admin\AppData\Local\Temp\tmp4BA0.tmp

                Filesize

                1KB

                MD5

                15d749210e6e1cb4115160780901c4a3

                SHA1

                6a0d047973a484874fa07f24ab0a793744c69700

                SHA256

                7a8e4ca799b470aad149653472d9442aa5815204c04cbbf0fba0d3052b6bd09c

                SHA512

                369ea9b77c8e847411677caa0a37caef637832468d868d75a0c6d10e9f13442fd7c70b56e38b444034b9dc98ee7e75c361c7561128a8e3280e22b724a088315c

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp

                Filesize

                5KB

                MD5

                660069b3cbf98420ec15d4c08f605bc7

                SHA1

                562c81da7e83adbc6cbf61a7ff48f69bee1254b8

                SHA256

                d136816baf03b54e7a8d8d572bb5ab1c367a161d1d9967d1180be2c723709256

                SHA512

                1896c22299407b0b41fc60f3e388d14929d2f8ac00e4ffec6a57c960d0724f94f7399705d491bb4ef5fb173b1939b48406bb757d3c01ff0f23d4ca97d49c23d4

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\13323c2a-7e6a-446f-b9b8-022a1bfeffda

                Filesize

                25KB

                MD5

                3c2ddb6b9d2b0665393a62a0a7161358

                SHA1

                43d0ee932a4e76d7312ae189ef873785d10d9260

                SHA256

                f23b7386715d4ba281075bc962bc8cda5336e26535da85208f0b986f2f640cd9

                SHA512

                d34bb357b749992a2cea3cc8a0190830829cb971c3e5015afa9bace26c95209c2205974882f8f337cfd707a0082b6bde6660b9afb624e0fb9af531ec93f2bb4f

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\63695cda-15f3-469a-9e75-2493516382d5

                Filesize

                671B

                MD5

                9636fb2b19e673eec108645e59974df8

                SHA1

                a763a9e680edb76bedf43c266d997e5f185809a3

                SHA256

                a2b740217fa12185f29dc10ef30ade544b5925b1e065211eecac4a77274f02fb

                SHA512

                ee7dc7b6f9b2e48d87a13c0cfac6a2ae6a4de08357776dd231be0029a8e4f405e6be0962ded1e21a3fb87cd2bb3143f147c699c07d8f105282726a980f4061ca

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\6907fa81-3b4a-41f7-aad6-635691930474

                Filesize

                982B

                MD5

                4be524104903616e4594d0d56ae229bd

                SHA1

                b8b2f0a19c670995b2460b3ca9d2b55f9e56c3f4

                SHA256

                de6731b0f7b54cc472dd3967515fbcefca9d0b3f4fcc72b89ac9e278197433a6

                SHA512

                02523cedfc7ddc7e70de8432f31bfdd2ca618d4c8b841ed3e1c4e93148fc3c347484a5e6fc4efe10609682a8475bc37c4bbb0edae0561c7b29b22c247cc408b3

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs-1.js

                Filesize

                8KB

                MD5

                3b006a36ed2f6bd9068f5008b0686aaa

                SHA1

                42a0d19ab17617780edd76c3800e40068ba5f1ba

                SHA256

                d4e808fa37bfb40c2bcfae85f8abbe492668a08a31e908345d358d78aa049f43

                SHA512

                356bed376ae0af6e560db3823d4709fb2fd3606f688c5c69ec7d4ca25bf664ad7136905fa97b981ba76033c39e55b5cda312d1e2487aeb7a85ac672b2db92db4

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs.js

                Filesize

                8KB

                MD5

                56fd3bbedceb453571f11454e4628e83

                SHA1

                b5ce2b85202caa7a06ee800deaccc800143a8e38

                SHA256

                e265bd2152fc9659caba7580f3c8d937f64ffdea185e04c13925da915df99975

                SHA512

                aa76a4c5de311c01b278bde1aa7159155d8c0632d1e0581f90d6cadd240a68fba57f955dae9442faa44e735829cb1cdb99fd7954f723fee59575979af61a5755

              • memory/1968-20-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

                Filesize

                1024KB

              • memory/1968-25-0x0000000000A70000-0x0000000000A80000-memory.dmp

                Filesize

                64KB

              • memory/1968-15-0x000000001C4C0000-0x000000001C4CA000-memory.dmp

                Filesize

                40KB

              • memory/1968-17-0x000000001BE20000-0x000000001BE3E000-memory.dmp

                Filesize

                120KB

              • memory/1968-18-0x000000001C450000-0x000000001C45A000-memory.dmp

                Filesize

                40KB

              • memory/1968-19-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

                Filesize

                1024KB

              • memory/1968-21-0x0000000000A70000-0x0000000000A80000-memory.dmp

                Filesize

                64KB

              • memory/1968-0-0x000000001B440000-0x000000001B90E000-memory.dmp

                Filesize

                4.8MB

              • memory/1968-22-0x00007FFE30280000-0x00007FFE30C21000-memory.dmp

                Filesize

                9.6MB

              • memory/1968-23-0x0000000000A70000-0x0000000000A80000-memory.dmp

                Filesize

                64KB

              • memory/1968-24-0x00007FFE30280000-0x00007FFE30C21000-memory.dmp

                Filesize

                9.6MB

              • memory/1968-16-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

                Filesize

                1024KB

              • memory/1968-26-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

                Filesize

                1024KB

              • memory/1968-27-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

                Filesize

                1024KB

              • memory/1968-28-0x000000001BEE0000-0x000000001BFE0000-memory.dmp

                Filesize

                1024KB

              • memory/1968-29-0x0000000000A70000-0x0000000000A80000-memory.dmp

                Filesize

                64KB

              • memory/1968-7-0x0000000000A70000-0x0000000000A80000-memory.dmp

                Filesize

                64KB

              • memory/1968-6-0x0000000000A20000-0x0000000000A28000-memory.dmp

                Filesize

                32KB

              • memory/1968-5-0x000000001BC00000-0x000000001BCA6000-memory.dmp

                Filesize

                664KB

              • memory/1968-4-0x000000001B9B0000-0x000000001BA4C000-memory.dmp

                Filesize

                624KB

              • memory/1968-1-0x00007FFE30280000-0x00007FFE30C21000-memory.dmp

                Filesize

                9.6MB

              • memory/1968-3-0x00007FFE30280000-0x00007FFE30C21000-memory.dmp

                Filesize

                9.6MB

              • memory/1968-2-0x0000000000A70000-0x0000000000A80000-memory.dmp

                Filesize

                64KB