Analysis Overview
SHA256
44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Threat Level: Known bad
The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.
Malicious Activity Summary
NanoCore
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-11 08:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 08:25
Reported
2024-05-11 08:27
Platform
win7-20240215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe
"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6364.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/2352-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp
memory/2352-1-0x0000000001230000-0x0000000001322000-memory.dmp
memory/2352-2-0x0000000074A70000-0x000000007515E000-memory.dmp
memory/2352-3-0x00000000005D0000-0x00000000005EE000-memory.dmp
memory/2352-4-0x0000000000650000-0x0000000000660000-memory.dmp
memory/2352-5-0x0000000000660000-0x0000000000676000-memory.dmp
memory/2352-6-0x0000000005400000-0x000000000547C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6364.tmp
| MD5 | 4e72793a8838fcfff8053f7462411945 |
| SHA1 | 2d13b860980e328a12a8397d7896f1c6e9ecbfa4 |
| SHA256 | a07a4e04aea7e5643380977ae00dbef0e14ce2447a672fae53b89c74efb6dc90 |
| SHA512 | 2075334cada2199a2a1716c200474174056a700dbba673adbe7df5224e3c0b8e6a133b450b87f0a3d7f31337901a4676c422127abafb3f364a68c41c08b1dd73 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LLZYY127UXH9O5TDBY0Q.temp
| MD5 | 447bbb8c0e8c78c6b5ce725a314904d3 |
| SHA1 | 8e544bbc1fd212141b5cad0ebfe0fc3d90fde563 |
| SHA256 | edc79d90be33e45e3336feedba36f8e4ea61c77cf6c834eee04c553bd2c53425 |
| SHA512 | 652be83990fd2647449df4deddd9a29f641a8f9de450f516fef28046ff3b5d3193f5a1098297a49d610972faec2486de53d85ab7347ff2b1113b9c5fddb0d947 |
memory/2352-19-0x0000000074A70000-0x000000007515E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 08:25
Reported
2024-05-11 08:27
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4880 set thread context of 4372 | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe
"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp830B.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8760.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp88C8.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 88.221.83.178:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.178:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
Files
memory/4880-0-0x000000007502E000-0x000000007502F000-memory.dmp
memory/4880-1-0x0000000000480000-0x0000000000572000-memory.dmp
memory/4880-2-0x0000000005610000-0x0000000005BB4000-memory.dmp
memory/4880-3-0x0000000004F50000-0x0000000004FE2000-memory.dmp
memory/4880-4-0x0000000005010000-0x000000000501A000-memory.dmp
memory/4880-5-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/4880-6-0x0000000005240000-0x000000000525E000-memory.dmp
memory/4880-7-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/4880-8-0x00000000052B0000-0x00000000052C6000-memory.dmp
memory/4880-9-0x00000000064B0000-0x000000000652C000-memory.dmp
memory/4880-10-0x0000000008BE0000-0x0000000008C7C000-memory.dmp
memory/4632-15-0x0000000002AD0000-0x0000000002B06000-memory.dmp
memory/4880-16-0x000000007502E000-0x000000007502F000-memory.dmp
memory/4632-17-0x0000000005740000-0x0000000005D68000-memory.dmp
memory/4632-18-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/4632-19-0x0000000075020000-0x00000000757D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp830B.tmp
| MD5 | af4404b2f40347b8dc341fc4a8f2cfcf |
| SHA1 | 5d157fb481c54c9c9aa0c397c96d892943738976 |
| SHA256 | c6b214362ad6eea7d8e857a9f794eab01930feeb3707b168ca29d1efbc70b412 |
| SHA512 | 31ee8bc3ef818b3495f87bb6cfece9ea97e3f41d059426a9f85489c0a780bb26cab93920aba1962c6b84be5fe3eb3c2999af1a3e0e10e1c8804486dab410a983 |
memory/4632-21-0x0000000005620000-0x0000000005642000-memory.dmp
memory/4632-22-0x00000000056C0000-0x0000000005726000-memory.dmp
memory/4632-24-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/4632-23-0x0000000005D70000-0x0000000005DD6000-memory.dmp
memory/2360-34-0x0000000075020000-0x00000000757D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kooysrwy.l2f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4632-35-0x0000000005DE0000-0x0000000006134000-memory.dmp
memory/4372-36-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2360-37-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/4880-39-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/4632-49-0x00000000063F0000-0x000000000640E000-memory.dmp
memory/4632-50-0x00000000069B0000-0x00000000069FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8760.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmp88C8.tmp
| MD5 | 2f26d92c1eeead3896820e56ec46f6f1 |
| SHA1 | d95533b61eed7d89e4ada56bc566d60e42ac1f61 |
| SHA256 | 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa |
| SHA512 | 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892 |
memory/4372-58-0x0000000005820000-0x000000000582A000-memory.dmp
memory/4372-61-0x0000000006820000-0x000000000682A000-memory.dmp
memory/4372-60-0x00000000066D0000-0x00000000066EE000-memory.dmp
memory/4372-59-0x0000000005830000-0x000000000583C000-memory.dmp
memory/2360-62-0x0000000006030000-0x0000000006062000-memory.dmp
memory/2360-63-0x00000000758B0000-0x00000000758FC000-memory.dmp
memory/2360-73-0x0000000005F90000-0x0000000005FAE000-memory.dmp
memory/4632-74-0x00000000758B0000-0x00000000758FC000-memory.dmp
memory/2360-84-0x0000000006C60000-0x0000000006D03000-memory.dmp
memory/4632-86-0x0000000007720000-0x000000000773A000-memory.dmp
memory/2360-85-0x00000000073B0000-0x0000000007A2A000-memory.dmp
memory/4632-87-0x00000000077A0000-0x00000000077AA000-memory.dmp
memory/2360-88-0x0000000006FF0000-0x0000000007086000-memory.dmp
memory/2360-89-0x0000000006F70000-0x0000000006F81000-memory.dmp
memory/2360-90-0x0000000006FA0000-0x0000000006FAE000-memory.dmp
memory/4632-91-0x0000000007960000-0x0000000007974000-memory.dmp
memory/4632-92-0x0000000007A60000-0x0000000007A7A000-memory.dmp
memory/4632-93-0x0000000007A40000-0x0000000007A48000-memory.dmp
memory/4632-100-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/2360-99-0x0000000075020000-0x00000000757D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 844b6a1b1359c19744a18316b8338f5b |
| SHA1 | 9781386fa7e9abcfcf90b3f1d8b5bfdcdcff15c6 |
| SHA256 | d36884143e0b218c1cac678167371e5294094d72f09d5768c2bd2769ae55e53a |
| SHA512 | b6d8ebcaf164378c4772e0bce7626678d4a20a46d0feefbe696d7ae6a4c2dce8f573d5474ce8c63292613f62e6485274959eb69bd9c6f4538b21d0f7d43cd6bf |