Analysis Overview
SHA256
b311a4b65d33d41491e14d50598168da43f75894d30776205213a05248646e86
Threat Level: Known bad
The file database.exe was found to be: Known bad.
Malicious Activity Summary
Nanocore family
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Modifies registry class
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 10:03
Signatures
Nanocore family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 10:03
Reported
2024-06-17 10:05
Platform
win10-20240404-en
Max time kernel
66s
Max time network
77s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe" | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DPI Service\dpisvc.exe | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DPI Service\dpisvc.exe | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\database.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\database.exe
"C:\Users\Admin\AppData\Local\Temp\database.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.0.178302193\1007203189" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {363c19ee-a417-4c83-b189-27e4f486cf6d} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 1780 21e290d6158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.1.61261066\327258852" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9028b76-cbfe-49bb-bf1d-20fe77b022c3} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 2136 21e28c30858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.2.1137473995\1508361906" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd16d7cc-cde4-451c-bb5f-32ccb5bb3b7b} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3032 21e2d393158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.3.1101551892\1826522309" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b7530f0-619e-4f34-8523-0485c753a2ea} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3564 21e16d62258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.4.1395604087\1774170961" -childID 3 -isForBrowser -prefsHandle 4416 -prefMapHandle 4392 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e663b2-bc31-4f50-9943-f3638876dccd} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4428 21e2f2a7858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.5.323068282\1396862862" -childID 4 -isForBrowser -prefsHandle 2524 -prefMapHandle 4824 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99079003-75dc-4463-94dc-af0fe409c5fd} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3700 21e2d9ded58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.6.665477055\731759365" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5907bdc-f58f-4fd8-a8ca-557bfd9e8a50} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4956 21e2e1f1058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.7.1184883601\672168546" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab5e4df1-d51f-462a-bb72-af22a588f85f} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 5140 21e2f9dad58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.8.1875503242\1724517108" -childID 7 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c430896-2541-40a6-b394-5817bc619d10} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 5728 21e31221058 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | local-quote.gl.at.ply.gg | udp |
| US | 147.185.221.20:26704 | local-quote.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | local-quote.gl.at.ply.gg | udp |
| US | 147.185.221.20:26704 | local-quote.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | local-quote.gl.at.ply.gg | udp |
| US | 147.185.221.20:26704 | local-quote.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 52.42.69.239:443 | shavar.prod.mozaws.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49788 | tcp | |
| N/A | 127.0.0.1:49794 | tcp | |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.69.42.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 142.250.185.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 142.250.185.68:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 68.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.181.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:26704 | tcp | |
| N/A | 127.0.0.1:26704 | tcp | |
| N/A | 127.0.0.1:26704 | tcp | |
| US | 8.8.8.8:53 | local-quote.gl.at.ply.gg | udp |
| US | 147.185.221.20:26704 | local-quote.gl.at.ply.gg | tcp |
Files
memory/600-0-0x0000000073A21000-0x0000000073A22000-memory.dmp
memory/600-1-0x0000000073A20000-0x0000000073FD0000-memory.dmp
memory/600-2-0x0000000073A20000-0x0000000073FD0000-memory.dmp
memory/600-5-0x0000000073A20000-0x0000000073FD0000-memory.dmp
memory/600-6-0x0000000073A20000-0x0000000073FD0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\329cb8c8-d477-4ce5-8dee-c368a91cacf0
| MD5 | de1bd75bb410cfcbdce73f9e47449ed5 |
| SHA1 | e88e2b59e2503698c0b1221541adb7b6c4cafe8b |
| SHA256 | 0d352a99358648889eec1b77ccc2adf7ffaf54829d748dc954cf8397b1472d75 |
| SHA512 | a2eef1f9b11aa1f6bf3323596e81fe00c0179b448f20e07e00e7c1d9353d9914db24be78b614aaf3744372414d166dec68969b99eacaf65d2b3499678fe2705f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\b10ad12c-d6b8-4d73-98c4-96520166028a
| MD5 | a73245a25674c6034d4debd87714ea4b |
| SHA1 | e5f3b31b6efe9a28618faa5119c820001268e0c0 |
| SHA256 | b21e5b2a7c46283b951662336ec1d345c74371675db6c1a8912004eee67dece5 |
| SHA512 | 47bfa708ec5a9f6a972143775b93d0a8d5744a4d74be91e640f2b2ad95096a0c2dba83f8a25c43fd0d07aa937fa286c4e84edc8df7efccc809252125e0d21865 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 55f5c762557f059faa1ae44c5e7dc087 |
| SHA1 | 0df9e5e9be77641102f22806f6a56b626c9e29b3 |
| SHA256 | 95014fcc924bf4e391cd9da567d13bc164cbc2b806a69034d4d6793326ab701b |
| SHA512 | f21483f1d0397e73eaf88a847d5f6ea3a7ec5e85f1a0474d62b32719866c020794ea000aaba40968efa0319f324df688b9b3caa6f8fe309159311610cdb49910 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 731c0e733fe1e3123d366af7c8e578ae |
| SHA1 | 9756304ea773dd9cd96e5996dc79de2ed6a9ae9c |
| SHA256 | 8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359 |
| SHA512 | d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | 7879563b3ae36fa1fac713f96a0ae10f |
| SHA1 | 50a9b290d8da684b510c9de9ad88511949d8c094 |
| SHA256 | 0cab8d4853993e4a1432fd7831fc2ff59f6ff5de8ffa8a5119026572797dd904 |
| SHA512 | c88c56427c34d890c74b3c87b3732d359a23ab9c6b19b41230cd023609e499a009846ab28c9cba33df7f5b44025597251cafc8fb6cadddd58e114732fe7a36d0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 90400ab0401f05fad835a0af8b96c60c |
| SHA1 | 227a27b58111ed797236dcbfdff1b86e8f5cdb76 |
| SHA256 | 4b244a654b723f8a0869cf31987276bec1efc40cb26a176b35a46de53fb1b891 |
| SHA512 | 686a831677991803bce1df544392f91c0ed157d492fdca326d46e0f35b760f614c7cfbd518098d0db18eb26cc5b38e44d5ce564b1dd7826f7060408fcb261e5c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
| MD5 | b472d2d300ba493b96db5eb26f1d9a15 |
| SHA1 | 6f1b18a0b30f84ef37ce2cc9a48645bfd7e2fc47 |
| SHA256 | 0ed49bde0ca3f9d4be5e885a2ae916e5e0368549daef9380490860eb1549cb9a |
| SHA512 | fcadac291b2dcaa97711975fc960a08e79c30a44c917638d72e348e4c566e52e5cdf13b327fdf4fd818ef624a679037b608dd30996e5a599e4fb463cb6ea6392 |