Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 00:01
General
-
Target
EMAIL ACCESS BY WORTYLESS/EMAIL ACCESS BY WORTYLESS.exe
-
Size
203KB
-
MD5
bba733ae6622aab730f4833f85f2b7df
-
SHA1
136ba13c922525e139b79ce1397eacd5bff1101c
-
SHA256
2e935cf07542a29f48be90925fc43b77da788b17b15e3917b90183a59cd2576d
-
SHA512
6ed95ccf4eadd32a3d88941b77d3835894ca0a4b46b76e363be5f80cef1f0456f10c31bdd62b38aaef1a1b55eb96127da77e29aee9bbb0bb42e02125c153affc
-
SSDEEP
3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI3aQYusdrK6ymbcYmRriGNny:sLV6Bta6dtJmakIM5tax0cYgrimy
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EMAIL ACCESS BY WORTYLESS\EMAIL ACCESS BY WORTYLESS.exe"C:\Users\Admin\AppData\Local\Temp\EMAIL ACCESS BY WORTYLESS\EMAIL ACCESS BY WORTYLESS.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D26.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4E02.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4D26.tmpFilesize
1KB
MD5896a323db8a4e1466dee95088bcad9e5
SHA1ade5e880c93357e0ff664d74746cdf4ec93fdbba
SHA256dd51236bd347d8c57ce5f5eb9e455607d627cf6a725b8a998bd6a236e7598d21
SHA512c9b45b31c1f054cb9cfd442402b455b97c50177ca37e2f6f01d77ff6a16e61c319157c8a42cd6b8c74b188e6b295fce19d228b1775e8349f33b0ac42a6047096
-
C:\Users\Admin\AppData\Local\Temp\tmp4E02.tmpFilesize
1KB
MD55fea24e883e06e4df6d240dc72abf2c5
SHA1d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA51215afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924
-
memory/4804-0-0x00000000755A2000-0x00000000755A3000-memory.dmpFilesize
4KB
-
memory/4804-1-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/4804-2-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/4804-5-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/4804-11-0x00000000755A2000-0x00000000755A3000-memory.dmpFilesize
4KB
-
memory/4804-12-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/4804-13-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB