Malware Analysis Report

2024-08-06 15:10

Sample ID 240524-asb7laef61
Target SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
SHA256 9c91a1b8c4da2d7588f3aecd76cdee7dba24d95f0874f79fa711c0b0a490e273
Tags
nanocore evasion execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c91a1b8c4da2d7588f3aecd76cdee7dba24d95f0874f79fa711c0b0a490e273

Threat Level: Known bad

The file SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-24 00:28

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 00:28

Reported

2024-05-24 00:30

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2216 set thread context of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 2216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 2216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 2216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 1660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tpwLHsKzvxy.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tpwLHsKzvxy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp93A6.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 psolver827.ddns.net udp
BG 185.216.70.125:1974 psolver827.ddns.net tcp
US 8.8.8.8:53 125.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 psolver827.ddns.net udp
BG 185.216.70.125:1974 psolver827.ddns.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2216-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/2216-1-0x0000000000B20000-0x0000000000BD2000-memory.dmp

memory/2216-2-0x0000000007FC0000-0x0000000008564000-memory.dmp

memory/2216-3-0x0000000007AB0000-0x0000000007B42000-memory.dmp

memory/2216-4-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/2216-5-0x0000000005030000-0x000000000503A000-memory.dmp

memory/2216-6-0x0000000007D60000-0x0000000007D7A000-memory.dmp

memory/2216-7-0x0000000007D80000-0x0000000007D90000-memory.dmp

memory/2216-8-0x0000000008FA0000-0x000000000901A000-memory.dmp

memory/2216-9-0x0000000006860000-0x00000000068FC000-memory.dmp

memory/3788-14-0x00000000029D0000-0x0000000002A06000-memory.dmp

memory/3788-15-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3788-16-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/3788-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3788-18-0x0000000005B60000-0x0000000005B82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp

MD5 7d8d5aa0271c6758e7f4a46bc1fe32e0
SHA1 21f7d6be2ee21ccc4438aa8e7919e750c2c33044
SHA256 a8a5eaece6a2800a7ac3140ba4344b3562c745151fe28e89dbf3f650199e6624
SHA512 169be6db69d50f7a25c02860da4b6d0970ca9851b233ac66a6562ee74af5bbdc11ef9ca10e16059e753058d2d46b9ff1e42305ba41042d612f6b900ff0e944db

memory/3788-22-0x0000000005C70000-0x0000000005CD6000-memory.dmp

memory/3788-20-0x0000000005C00000-0x0000000005C66000-memory.dmp

memory/4712-19-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4712-23-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bsjd3c20.lsp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3788-43-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3788-33-0x0000000005D10000-0x0000000006064000-memory.dmp

memory/1660-46-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3788-45-0x0000000006330000-0x000000000637C000-memory.dmp

memory/3788-44-0x00000000062F0000-0x000000000630E000-memory.dmp

memory/2216-48-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp

MD5 fd893d0b6552c99ad52ab4413a1f6895
SHA1 19a0a4235514de4eb7c07c2f2b2a3dfe530bf077
SHA256 4d41336da15a13c68ed804d35a86df616578c259baed14c785cc66db3939c0ed
SHA512 b91683b89ac407456f004214049de8335c8d885cdb44a90906774451416be43167ec3797e4ed7e0ceeefdd40660d3c28d81d23ee9dde4ce74e7841024faec2e8

memory/3788-56-0x00000000702B0000-0x00000000702FC000-memory.dmp

memory/3788-66-0x00000000074C0000-0x00000000074DE000-memory.dmp

memory/3788-67-0x00000000074F0000-0x0000000007593000-memory.dmp

memory/3788-55-0x00000000068D0000-0x0000000006902000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp93A6.tmp

MD5 a77c223a0fc492dccd6fb9975f7a8766
SHA1 5e813636ae9b8138d78919348a5da3a6e8bd74b5
SHA256 589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e
SHA512 315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0

memory/1660-70-0x0000000005840000-0x000000000584A000-memory.dmp

memory/1660-71-0x0000000005850000-0x000000000586E000-memory.dmp

memory/1660-72-0x00000000064B0000-0x00000000064BA000-memory.dmp

memory/3788-73-0x0000000007620000-0x000000000763A000-memory.dmp

memory/3788-69-0x0000000007C70000-0x00000000082EA000-memory.dmp

memory/3788-74-0x0000000007690000-0x000000000769A000-memory.dmp

memory/4712-76-0x00000000702B0000-0x00000000702FC000-memory.dmp

memory/3788-86-0x00000000078A0000-0x0000000007936000-memory.dmp

memory/3788-87-0x0000000007820000-0x0000000007831000-memory.dmp

memory/3788-88-0x0000000007850000-0x000000000785E000-memory.dmp

memory/1660-91-0x0000000006E60000-0x0000000006E7A000-memory.dmp

memory/1660-94-0x0000000006EB0000-0x0000000006EBE000-memory.dmp

memory/1660-93-0x0000000006EA0000-0x0000000006EB2000-memory.dmp

memory/1660-92-0x0000000006E90000-0x0000000006E9E000-memory.dmp

memory/1660-90-0x0000000006E50000-0x0000000006E62000-memory.dmp

memory/1660-97-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

memory/1660-99-0x0000000006F20000-0x0000000006F2E000-memory.dmp

memory/1660-101-0x0000000006F60000-0x0000000006F74000-memory.dmp

memory/1660-100-0x0000000006F30000-0x0000000006F5E000-memory.dmp

memory/1660-98-0x0000000006F00000-0x0000000006F14000-memory.dmp

memory/1660-96-0x0000000006ED0000-0x0000000006EE4000-memory.dmp

memory/1660-95-0x0000000006EC0000-0x0000000006ECC000-memory.dmp

memory/3788-102-0x0000000007860000-0x0000000007874000-memory.dmp

memory/3788-103-0x0000000007960000-0x000000000797A000-memory.dmp

memory/3788-104-0x0000000007940000-0x0000000007948000-memory.dmp

memory/4712-107-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 08f982944b4e5d5723e418829d841cee
SHA1 b58f34554080a4c0d2623ba23d7adce417f8ce8a
SHA256 5f9cb3397ec09ebdaae42c3ae6d4b96434d88a5e5810f91537a9e9ff2b4a510c
SHA512 f41690bb201c8678a649b5597f1040e4db3496693d1bd5fda0df95e46d975a36b668a3b969353c070c9b9bd95dbf8dae585637b62216e61908063c96f9686694

memory/3788-111-0x0000000074CA0000-0x0000000075450000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 00:28

Reported

2024-05-24 00:30

Platform

win7-20240221-en

Max time kernel

118s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2180 set thread context of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
File opened for modification C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 2180 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 2180 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 2180 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 2180 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe
PID 852 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tpwLHsKzvxy.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tpwLHsKzvxy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp407A.tmp"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4131.2756.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp425D.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp42DB.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 psolver827.ddns.net udp
BG 185.216.70.125:1974 psolver827.ddns.net tcp
US 8.8.8.8:53 psolver827.ddns.net udp
BG 185.216.70.125:1974 psolver827.ddns.net tcp

Files

memory/2180-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

memory/2180-1-0x00000000011D0000-0x0000000001282000-memory.dmp

memory/2180-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2180-3-0x0000000000950000-0x000000000096A000-memory.dmp

memory/2180-4-0x0000000000890000-0x00000000008A0000-memory.dmp

memory/2180-5-0x00000000073D0000-0x000000000744A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EH08YOT7X5LH4NIQD9I9.temp

MD5 b98275e3d06256ea081792cc9e2d5245
SHA1 d12ca912f1bcee8097d42d46a59ec7de49561870
SHA256 35290a7fe9890626bae578f904568b510e19e4b7753b9f5336814a4c46e0e5a7
SHA512 16d22aad61f3d60eeb0cbc03dd518e2a18990155c7899de23c2787b9cae0bfe01c8b2dc833d05dee0be828a523fe23267c9a631e32e384621d3db14ded27b738

C:\Users\Admin\AppData\Local\Temp\tmp407A.tmp

MD5 75e3faef378ab08be479792f28d61f87
SHA1 12c9fb0e110be9e2e44f5ef7efd555c6ba363f5c
SHA256 30251f27be8f3c8c798113b12370a6f5e10fb8f85900f74f8f808edb793d735a
SHA512 ed431d5ba2ac40014d1a9db6dd9e66bd9565b2af3e95b036203a2254d217bed45908f3332bd68c74016c7c2c74aa9c827036a4db5965812f28a169c7f6c394cd

memory/852-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/852-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2180-30-0x00000000744D0000-0x0000000074BBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp425D.tmp

MD5 fd893d0b6552c99ad52ab4413a1f6895
SHA1 19a0a4235514de4eb7c07c2f2b2a3dfe530bf077
SHA256 4d41336da15a13c68ed804d35a86df616578c259baed14c785cc66db3939c0ed
SHA512 b91683b89ac407456f004214049de8335c8d885cdb44a90906774451416be43167ec3797e4ed7e0ceeefdd40660d3c28d81d23ee9dde4ce74e7841024faec2e8

C:\Users\Admin\AppData\Local\Temp\tmp42DB.tmp

MD5 3d1580c0395f6de62659467f5b7f1acf
SHA1 8e73a3885896cecca7ff799a272fc9ddfe06ea96
SHA256 6f40196c42a171f24a3e16edeca664cdc5a2f7c150d468255b0e14ab10a2b714
SHA512 7637c0d9b03227dffcb00a68d97ddce60bfc40ca0f8a7a4bbd700ea56be6d570908511dea5cab9f609a7da2e558e5298c482fd1e330af085f9c52867d5a847ea

memory/852-38-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/852-39-0x0000000000510000-0x000000000052E000-memory.dmp

memory/852-40-0x00000000004C0000-0x00000000004CA000-memory.dmp

memory/852-43-0x0000000000590000-0x00000000005A2000-memory.dmp

memory/852-44-0x0000000000810000-0x000000000082A000-memory.dmp

memory/852-45-0x0000000000830000-0x000000000083E000-memory.dmp

memory/852-47-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

memory/852-46-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

memory/852-48-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

memory/852-49-0x0000000000C40000-0x0000000000C54000-memory.dmp

memory/852-50-0x0000000000C90000-0x0000000000CA0000-memory.dmp

memory/852-51-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

memory/852-52-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

memory/852-53-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

memory/852-54-0x0000000000D50000-0x0000000000D64000-memory.dmp