Analysis Overview
SHA256
bda855dc115902664e92ff1c4b945f367ea2a9372dc00d7b2f560ab15aca4835
Threat Level: Known bad
The file dildobuttsex.exe was found to be: Known bad.
Malicious Activity Summary
Nanocore family
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-26 06:14
Signatures
Nanocore family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 06:14
Reported
2024-06-26 06:17
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SMTP Subsystem\smtpss.exe | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SMTP Subsystem\smtpss.exe | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 772 wrote to memory of 3852 | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 772 wrote to memory of 3852 | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 772 wrote to memory of 3852 | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 772 wrote to memory of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 772 wrote to memory of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 772 wrote to memory of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe
"C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp33FC.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3CC7.tmp"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 193.98.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t-protecting.gl.at.ply.gg | udp |
| US | 147.185.221.20:24735 | t-protecting.gl.at.ply.gg | tcp |
Files
memory/772-0-0x00000000750F2000-0x00000000750F3000-memory.dmp
memory/772-1-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/772-2-0x00000000750F0000-0x00000000756A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp33FC.tmp
| MD5 | 1156c8494f802c2458973e9358495fde |
| SHA1 | 0e0eca23efc056ebe032b95b94d2246f05946874 |
| SHA256 | 467138bedaa8358054acdb93ed4237f4e8125471402d2046a2fd26016500e353 |
| SHA512 | a8bfb90b48042703209d2c7437af324c9b42e34447a33dbbb50a706b89fb388ce3e807c99c98cc904491e7bdb8c68a4247b48f9632ebc3e18a892b0059e8c82a |
C:\Users\Admin\AppData\Local\Temp\tmp3CC7.tmp
| MD5 | 0339b45ef206f4becc88be0d65e24b9e |
| SHA1 | 6503a1851f4ccd8c80a31f96bd7ae40d962c9fad |
| SHA256 | 3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83 |
| SHA512 | c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551 |
memory/772-10-0x00000000750F2000-0x00000000750F3000-memory.dmp
memory/772-11-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/772-12-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/772-13-0x00000000750F0000-0x00000000756A1000-memory.dmp