Analysis Overview
SHA256
b89a70f1b581bb4807cb6a7c40146f0b28e2f1469c83bd019c1a37819da85a79
Threat Level: Known bad
The file wxipp.exe was found to be: Known bad.
Malicious Activity Summary
Nanocore family
Checks whether UAC is enabled
Unsigned PE
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-27 18:53
Signatures
Nanocore family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 18:53
Reported
2024-06-27 18:55
Platform
win7-20240221-en
Max time kernel
66s
Max time network
70s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2216 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2216 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2216 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2216 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2216 wrote to memory of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2216 wrote to memory of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2216 wrote to memory of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2216 wrote to memory of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wxipp.exe
"C:\Users\Admin\AppData\Local\Temp\wxipp.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /delete /f /tn "Microsoft\Windows\Client Server Runtime Process"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "Microsoft\Windows\Client Server Runtime Process" /xml "C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| N/A | 127.0.0.1:40000 | tcp | |
| N/A | 127.0.0.1:40000 | tcp | |
| N/A | 127.0.0.1:40000 | tcp | |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
Files
memory/2216-0-0x0000000074631000-0x0000000074632000-memory.dmp
memory/2216-1-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2216-2-0x0000000074630000-0x0000000074BDB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp
| MD5 | 161a228bbffc66c3ecaff78b2ca5e6ba |
| SHA1 | d9559ecf4ee35e58405b05f88759c705cdb2ac06 |
| SHA256 | e56a6fb81d329006e80a7fa324455ef08101450f62551d93c93b0079abc850a0 |
| SHA512 | 61bcd916404f2feccf824845e93c9d9f6cdfae52785e50cc94217f87a2e3162a494ac5d29676b6322a80940614bf0aab922f124cccca7f23cc6fc1485a94e106 |
memory/2216-6-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2216-7-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2216-8-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2216-9-0x0000000074630000-0x0000000074BDB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 18:53
Reported
2024-06-27 18:56
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
146s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1480 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1480 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1480 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1480 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1480 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1480 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\wxipp.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wxipp.exe
"C:\Users\Admin\AppData\Local\Temp\wxipp.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /delete /f /tn "Microsoft\Windows\Client Server Runtime Process"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "Microsoft\Windows\Client Server Runtime Process" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3151.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| N/A | 127.0.0.1:40000 | tcp | |
| N/A | 127.0.0.1:40000 | tcp | |
| N/A | 127.0.0.1:40000 | tcp | |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
| N/A | 127.0.0.1:40000 | tcp | |
| N/A | 127.0.0.1:40000 | tcp | |
| N/A | 127.0.0.1:40000 | tcp | |
| US | 8.8.8.8:53 | thecat13.ddns.net | udp |
| IN | 49.206.41.30:40000 | thecat13.ddns.net | tcp |
Files
memory/1480-0-0x0000000075492000-0x0000000075493000-memory.dmp
memory/1480-1-0x0000000075490000-0x0000000075A41000-memory.dmp
memory/1480-2-0x0000000075490000-0x0000000075A41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3151.tmp
| MD5 | 161a228bbffc66c3ecaff78b2ca5e6ba |
| SHA1 | d9559ecf4ee35e58405b05f88759c705cdb2ac06 |
| SHA256 | e56a6fb81d329006e80a7fa324455ef08101450f62551d93c93b0079abc850a0 |
| SHA512 | 61bcd916404f2feccf824845e93c9d9f6cdfae52785e50cc94217f87a2e3162a494ac5d29676b6322a80940614bf0aab922f124cccca7f23cc6fc1485a94e106 |
memory/1480-6-0x0000000075490000-0x0000000075A41000-memory.dmp
memory/1480-7-0x0000000075492000-0x0000000075493000-memory.dmp
memory/1480-8-0x0000000075490000-0x0000000075A41000-memory.dmp
memory/1480-9-0x0000000075490000-0x0000000075A41000-memory.dmp