Overview

overview

10

Static

static

10

randomfile.exe

windows10-2004-x64

10

Resubmissions

23-06-2024 20:43

240623-zhzmksvbnp 10

15-06-2024 09:17

240615-k8793svfqg 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    randomfile.exe

  • Size

    210KB

  • MD5

    004d0d489f1547b76aa91465a2dbc99f

  • SHA1

    c767780d3a0bf1edeead92605ce849a78f3041b6

  • SHA256

    d09b1d9588c03e806ed27e7fe6bee63af7da8d332e719e5dc4579278722e6e99

  • SHA512

    07a90505965d89f9af718d7b15741b5064766dbf599219528ff1c59e70f99338904273f931b25728ead3dc65de41c8ed9cf43b18cca58d62bfc7b856d6cf9ccc

  • SSDEEP

    6144:wLV6Bta6dtJmakIM5j100ody3ydprVaaQE:wLV6Btpmk+G0l3faQE

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\randomfile.exe
    "C:\Users\Admin\AppData\Local\Temp\randomfile.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD3DA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2948
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3044,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
    1⤵
      PID:3548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD3DA.tmp
      Filesize

      1KB

      MD5

      5988267d30e4536e048a71ebf6ce2287

      SHA1

      908ffb7e1ede3b4861251acc3111b13d7673cc03

      SHA256

      20a81a8b3d82762db94c240a16c3a0728370dae1bbee6ab98339aac706002ed1

      SHA512

      dea6b7c07570437197758a1b37710689d77a4b358f5bc39515cb7ace44590c2a58767708f8cac1570e1d0c808dcc48ecdd905809772b891ee9ce27ceba866748

      Download Submit
    • memory/2104-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2104-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2104-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2104-7-0x0000000074EF0000-0x00000000754A1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2104-8-0x0000000074EF2000-0x0000000074EF3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2104-9-0x0000000074EF0000-0x00000000754A1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2104-10-0x0000000074EF0000-0x00000000754A1000-memory.dmp
      Filesize

      5.7MB

      Download