Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
14-05-2024 00:01
General
-
Target
EMAIL ACCESS BY WORTYLESS/EMAIL ACCESS BY WORTYLESS.exe
-
Size
203KB
-
MD5
bba733ae6622aab730f4833f85f2b7df
-
SHA1
136ba13c922525e139b79ce1397eacd5bff1101c
-
SHA256
2e935cf07542a29f48be90925fc43b77da788b17b15e3917b90183a59cd2576d
-
SHA512
6ed95ccf4eadd32a3d88941b77d3835894ca0a4b46b76e363be5f80cef1f0456f10c31bdd62b38aaef1a1b55eb96127da77e29aee9bbb0bb42e02125c153affc
-
SSDEEP
3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI3aQYusdrK6ymbcYmRriGNny:sLV6Bta6dtJmakIM5tax0cYgrimy
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EMAIL ACCESS BY WORTYLESS\EMAIL ACCESS BY WORTYLESS.exe"C:\Users\Admin\AppData\Local\Temp\EMAIL ACCESS BY WORTYLESS\EMAIL ACCESS BY WORTYLESS.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp29EE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2A7B.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp29EE.tmpFilesize
1KB
MD5896a323db8a4e1466dee95088bcad9e5
SHA1ade5e880c93357e0ff664d74746cdf4ec93fdbba
SHA256dd51236bd347d8c57ce5f5eb9e455607d627cf6a725b8a998bd6a236e7598d21
SHA512c9b45b31c1f054cb9cfd442402b455b97c50177ca37e2f6f01d77ff6a16e61c319157c8a42cd6b8c74b188e6b295fce19d228b1775e8349f33b0ac42a6047096
-
C:\Users\Admin\AppData\Local\Temp\tmp2A7B.tmpFilesize
1KB
MD5447ab194ab36cb1d20078d80e502b1b2
SHA1a947b3b2c91d7c50bb8d39bd4fc91a0d0cc5b1c0
SHA2568d5304b20b7d7dea223ce2738e5668054250d57bf6bed86b305b69924bd472f5
SHA51249ddc557f7f6635627eea9bf0fa12a14b7b13edb235ed560ee0044a7f87fe27b686ff878d347d0273d92eb0b318b8c2bca85c0fbf42d586ed7d7da39eac6a327
-
memory/2400-0-0x0000000074831000-0x0000000074832000-memory.dmpFilesize
4KB
-
memory/2400-1-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2400-2-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2400-10-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2400-11-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB