nanocore | a07f9b08dfe75fe72d5310e298bf85eb71a925865da09a6f8e76e4150e268444

General

Target

exoplor.exe
Size

1022KB
MD5

0ff5ecbe655b0b5781700195d2e8475e
SHA1

88287fb8ae38e8b4b3c7dad7ef72200f1ff6c20d
SHA256

d85538af1e2ee590775bcf2d6cdd5b757eb4eded381f9a3d3c94c81a52534035
SHA512

b3d6e7f0396151265968a3a17b2523e7a8564df5e5332f577791335e3337b4a076971b76485a9bdaca4d181860058e791935e8d459dbfe6f65320dc76bef84a5
SSDEEP

24576:SFuFIa6JCDe6/xeB9RC3EXhJcXiWeAu3mBgVLn7PYzEd:Bt6JKd5YHTXTcXu33mBWLn7PYe

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

exoplor.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ exoplor.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

exoplor.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine exoplor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	exoplor.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine	exoplor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

exoplor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe"	exoplor.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

exoplor.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA exoplor.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

exoplor.exe

pid process

1992 exoplor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	exoplor.exe

pid	process
1992	exoplor.exe

Drops file in Program Files directory 2 IoCs

Processes:

exoplor.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Host\isshost.exe	exoplor.exe
File opened for modification	C:\Program Files (x86)\ISS Host\isshost.exe	exoplor.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1784 schtasks.exe
1028 schtasks.exe

pid	process
1784	schtasks.exe
1028	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

exoplor.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	exoplor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	exoplor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	exoplor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	exoplor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F9C8A8B49412282E1A8337EB7716792DC8C3F1EB	exoplor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F9C8A8B49412282E1A8337EB7716792DC8C3F1EB\Blob = 0f00000001000000200000001863c9607fa350a2d263d8137726ea4ca556b78b7f226249586461de8f394f47030000000100000014000000f9c8a8b49412282e1a8337eb7716792dc8c3f1eb2000000001000000f9020000308202f5308201dda0030201020210133e1e3c9448ed6f1de244ad68f8f003300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303531363137303030305a170d3239303531353137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100e665ca016ea34a0edb5999e57ffc8cb5654cc27ff218f4d30b2ad66787e43afb6c521ba95bdca73753868d6a33d85675e2d213dadc39b9b917973c972ab6a288a487d37b49280f1261efe9098db43b9d03696e42973e480d9002addc63ce654cf38e39fa4af09e761a951f4f7b402ac4b1ece721e970c34f381c5397b83b698452405fb5746581770be725b4ed8a19d63dd114b45e81cd6196deb241a4f1baa368123feeae7d7b504fd0d68d48dd4d7cd98d6f9c1a8f8150b86e920db3cb381eb6e731a4f7e866d5b04fcff858fa380f748cfebd939affdd6cdf4d51d03aaf03817bad32298bfba82ed11158818307228f86f34e0dd38f6557b0c946544ed3910203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414bbe895dc201692f641b9f5e8930e1b71c601ad30300d06092a864886f70d01010b0500038201010082bfedf7caa09695d822db1c27ca8874224c93cfe89d7408fc5fbc5895963499dfd6c2be715e2beefddb00c5935b7bdeb8643392204a0995936ba2a71a048cddfb157d5462332fd908978349db816508c7210fabe98d33d74b20ab47fe7188a919ab3f67c0e22d38dfb0d9daac653efe3317a6c42bc5f52588ab2214fc84c75bdd68c644a55616434c95897acf45ce9d8789181ab80e9e9c193e776de9004f350d84aea0bcab5b8cfb56c30a3ef2987334218688ebc000550c6a46b92dfe507b0e7f7808c3d7cf80996d92696c6aa7c27fb2adaacde53eb6a5b981dfde49f63837a793b094ef79f62fe391406efd5e3fc8bf4eedb51432a57102eec88de2bd62	exoplor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F9C8A8B49412282E1A8337EB7716792DC8C3F1EB\Blob = 140000000100000014000000bbe895dc201692f641b9f5e8930e1b71c601ad30030000000100000014000000f9c8a8b49412282e1a8337eb7716792dc8c3f1eb0f00000001000000200000001863c9607fa350a2d263d8137726ea4ca556b78b7f226249586461de8f394f472000000001000000f9020000308202f5308201dda0030201020210133e1e3c9448ed6f1de244ad68f8f003300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303531363137303030305a170d3239303531353137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100e665ca016ea34a0edb5999e57ffc8cb5654cc27ff218f4d30b2ad66787e43afb6c521ba95bdca73753868d6a33d85675e2d213dadc39b9b917973c972ab6a288a487d37b49280f1261efe9098db43b9d03696e42973e480d9002addc63ce654cf38e39fa4af09e761a951f4f7b402ac4b1ece721e970c34f381c5397b83b698452405fb5746581770be725b4ed8a19d63dd114b45e81cd6196deb241a4f1baa368123feeae7d7b504fd0d68d48dd4d7cd98d6f9c1a8f8150b86e920db3cb381eb6e731a4f7e866d5b04fcff858fa380f748cfebd939affdd6cdf4d51d03aaf03817bad32298bfba82ed11158818307228f86f34e0dd38f6557b0c946544ed3910203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414bbe895dc201692f641b9f5e8930e1b71c601ad30300d06092a864886f70d01010b0500038201010082bfedf7caa09695d822db1c27ca8874224c93cfe89d7408fc5fbc5895963499dfd6c2be715e2beefddb00c5935b7bdeb8643392204a0995936ba2a71a048cddfb157d5462332fd908978349db816508c7210fabe98d33d74b20ab47fe7188a919ab3f67c0e22d38dfb0d9daac653efe3317a6c42bc5f52588ab2214fc84c75bdd68c644a55616434c95897acf45ce9d8789181ab80e9e9c193e776de9004f350d84aea0bcab5b8cfb56c30a3ef2987334218688ebc000550c6a46b92dfe507b0e7f7808c3d7cf80996d92696c6aa7c27fb2adaacde53eb6a5b981dfde49f63837a793b094ef79f62fe391406efd5e3fc8bf4eedb51432a57102eec88de2bd62	exoplor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F9C8A8B49412282E1A8337EB7716792DC8C3F1EB\Blob = 1900000001000000100000005e1fa68b298d06df2bbba2659e55a05f0f00000001000000200000001863c9607fa350a2d263d8137726ea4ca556b78b7f226249586461de8f394f47030000000100000014000000f9c8a8b49412282e1a8337eb7716792dc8c3f1eb140000000100000014000000bbe895dc201692f641b9f5e8930e1b71c601ad302000000001000000f9020000308202f5308201dda0030201020210133e1e3c9448ed6f1de244ad68f8f003300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303531363137303030305a170d3239303531353137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100e665ca016ea34a0edb5999e57ffc8cb5654cc27ff218f4d30b2ad66787e43afb6c521ba95bdca73753868d6a33d85675e2d213dadc39b9b917973c972ab6a288a487d37b49280f1261efe9098db43b9d03696e42973e480d9002addc63ce654cf38e39fa4af09e761a951f4f7b402ac4b1ece721e970c34f381c5397b83b698452405fb5746581770be725b4ed8a19d63dd114b45e81cd6196deb241a4f1baa368123feeae7d7b504fd0d68d48dd4d7cd98d6f9c1a8f8150b86e920db3cb381eb6e731a4f7e866d5b04fcff858fa380f748cfebd939affdd6cdf4d51d03aaf03817bad32298bfba82ed11158818307228f86f34e0dd38f6557b0c946544ed3910203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414bbe895dc201692f641b9f5e8930e1b71c601ad30300d06092a864886f70d01010b0500038201010082bfedf7caa09695d822db1c27ca8874224c93cfe89d7408fc5fbc5895963499dfd6c2be715e2beefddb00c5935b7bdeb8643392204a0995936ba2a71a048cddfb157d5462332fd908978349db816508c7210fabe98d33d74b20ab47fe7188a919ab3f67c0e22d38dfb0d9daac653efe3317a6c42bc5f52588ab2214fc84c75bdd68c644a55616434c95897acf45ce9d8789181ab80e9e9c193e776de9004f350d84aea0bcab5b8cfb56c30a3ef2987334218688ebc000550c6a46b92dfe507b0e7f7808c3d7cf80996d92696c6aa7c27fb2adaacde53eb6a5b981dfde49f63837a793b094ef79f62fe391406efd5e3fc8bf4eedb51432a57102eec88de2bd62	exoplor.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

exoplor.exe

pid process

1992 exoplor.exe
1992 exoplor.exe
1992 exoplor.exe
1992 exoplor.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

exoplor.exe

pid process

1992 exoplor.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

exoplor.exe

description pid process

Token: SeDebugPrivilege 1992 exoplor.exe

pid	process
1992	exoplor.exe
1992	exoplor.exe
1992	exoplor.exe
1992	exoplor.exe

pid	process
1992	exoplor.exe

description	pid	process
Token: SeDebugPrivilege	1992	exoplor.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

exoplor.exe

description	pid	process	target process
PID 1992 wrote to memory of 1784	1992	exoplor.exe	schtasks.exe
PID 1992 wrote to memory of 1784	1992	exoplor.exe	schtasks.exe
PID 1992 wrote to memory of 1784	1992	exoplor.exe	schtasks.exe
PID 1992 wrote to memory of 1784	1992	exoplor.exe	schtasks.exe
PID 1992 wrote to memory of 1028	1992	exoplor.exe	schtasks.exe
PID 1992 wrote to memory of 1028	1992	exoplor.exe	schtasks.exe
PID 1992 wrote to memory of 1028	1992	exoplor.exe	schtasks.exe
PID 1992 wrote to memory of 1028	1992	exoplor.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\exoplor.exe
"C:\Users\Admin\AppData\Local\Temp\exoplor.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp21CF.tmp"
2⤵
- Creates scheduled task(s)
PID:1784

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp226C.tmp"
2⤵
- Creates scheduled task(s)
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2020.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp21CF.tmp
Filesize
1KB

MD5
f18bf5b6ddf538145501a5abf6fe366f

SHA1
269c1031fb323b116f5a3062bfcd02649bb0fbea

SHA256
5ed8ccef8293cc57acfb921d8a8d9fb79f768ef19759561a4e7f71c3b960cdcc

SHA512
52fdd6196b5b886250152917587ef670385054231e0590f3d57edc12c81cb02aa694334b619ca544dfb58386cb4275be9c78b56b4f823c76f25f802f59a50e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp226C.tmp
Filesize
1KB

MD5
3d1580c0395f6de62659467f5b7f1acf

SHA1
8e73a3885896cecca7ff799a272fc9ddfe06ea96

SHA256
6f40196c42a171f24a3e16edeca664cdc5a2f7c150d468255b0e14ab10a2b714

SHA512
7637c0d9b03227dffcb00a68d97ddce60bfc40ca0f8a7a4bbd700ea56be6d570908511dea5cab9f609a7da2e558e5298c482fd1e330af085f9c52867d5a847ea

Download Submit
memory/1992-0-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1992-93-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads