Overview

overview

10

Static

static

10

7_zip_installer.exe

windows7-x64

8

CHOCORAT.exe

windows7-x64

10

ChrisMessage.exe

windows7-x64

1

Free Porn.exe

windows7-x64

1

Gay Porn Mailer.exe

windows7-x64

1

GottaWork.exe

windows7-x64

PleaseWork.exe

windows7-x64

THING.exe

windows7-x64

7

Technoturn...AT.exe

windows7-x64

1

Verified by Visa.exe

windows7-x64

10

abwsx1.exe

windows7-x64

7

eee.exe

windows7-x64

1

hypno.exe

windows7-x64

8

mbam-setup...00.exe

windows7-x64

8

molesto.exe

windows7-x64

1

runme.exe

windows7-x64

7

setup.exe

windows7-x64

3

sevgi.exe

windows7-x64

6

shrek.exe

windows7-x64

8

upnp.exe

windows7-x64

7

virus.exe

windows7-x64

10

vmdestroyer.exe

windows7-x64

7

Analysis

  • max time kernel
    294s
  • max time network
    302s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Verified by Visa.exe

  • Size

    203KB

  • MD5

    317acdfc40a1101e24581e36cbedf08b

  • SHA1

    18a4e6f44f5e40602e9a667ee0563ee344858c16

  • SHA256

    05e59171a19c97bf2fa9dead4de20645fc41cf9fcbd59fc014cdc7a571c185d3

  • SHA512

    5edaa32431dee3dc02c1d3b559ecc6984258876e9307bbaf367c9b1fb80fefee2ba11d46f6f1bedc9aee2481a0d8b904b6e66f909d759b50b94d3a8d05cf4c52

  • SSDEEP

    6144:ULV6Bta6dtJmakIM5+72k3q7jrVGxP23GqRNL:ULV6BtpmkPq7jRKP23XL

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Verified by Visa.exe
    "C:\Users\Admin\AppData\Local\Temp\Verified by Visa.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "ARP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp33AE.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2176
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "ARP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3479.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp33AE.tmp
    Filesize

    1KB

    MD5

    5a64bf7a3b7c0522f2cffdecb6a5bd3a

    SHA1

    51047690aec1d83371a537f2db77060128109724

    SHA256

    809a9dadbd18413c89bce18aa3bffc955462a9aa32e930f570b14ae0e0f92847

    SHA512

    9f57cfcbc3a898dffc7715f2dd7e216ae4a6e2ddeb1952fb3bd1af8cef9fbcc718cdd41694dfad0ee8cb3781c00d8c7212646c3e7fdf2b07767ee2647e5b5955

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp3479.tmp
    Filesize

    1KB

    MD5

    447ab194ab36cb1d20078d80e502b1b2

    SHA1

    a947b3b2c91d7c50bb8d39bd4fc91a0d0cc5b1c0

    SHA256

    8d5304b20b7d7dea223ce2738e5668054250d57bf6bed86b305b69924bd472f5

    SHA512

    49ddc557f7f6635627eea9bf0fa12a14b7b13edb235ed560ee0044a7f87fe27b686ff878d347d0273d92eb0b318b8c2bca85c0fbf42d586ed7d7da39eac6a327

    Download Submit
  • memory/1824-0-0x0000000074A11000-0x0000000074A12000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1824-1-0x0000000074A10000-0x0000000074FBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1824-2-0x0000000074A10000-0x0000000074FBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1824-10-0x0000000074A10000-0x0000000074FBB000-memory.dmp
    Filesize

    5.7MB

    Download