Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
12-07-2024 10:19
General
-
Target
playit.exe
-
Size
202KB
-
MD5
96922ff790264130780d92489a232eb0
-
SHA1
c75d43dbb381650ec0a9684867b968bf658a0304
-
SHA256
a4aa9acf04e3377f7d0fd23f0677e29cf885436ee18af02de049899a9ab62d61
-
SHA512
0e50f48171d151aca6006f158be6d08985c62e915a5ec46fa9e9e1dc18c38112b4261209158826b15a0c48e05ac26a5af87628e6b57212c0590f962a7a06809d
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIRpPl1W4F0MpeCWBxwEJcA:QLV6Bta6dtJmakIM56lY4yMpeCoxwEx
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\playit.exe"C:\Users\Admin\AppData\Local\Temp\playit.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eddfec1f.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x408 0x30c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eddfec1f.batFilesize
3B
MD5dfff0a7fa1a55c8c1a4966c19f6da452
SHA1abac36149cf8b0e18d680ad240a392fc875517bc
SHA25604dc5b2136328a0dcb189df97734c7c72e5e1227fa0c03469a6ce608f32f1b66
SHA5126b2ceded114a90ec308b795405cb9ec18ea5e42c27d3366880b9fd7fa037bd5e89980e4e1e56ce800a7d2cac3cbfd9b8d3f48b21f6c28f6dd4ebee4983c015ca
-
memory/4352-0-0x0000000074712000-0x0000000074713000-memory.dmpFilesize
4KB
-
memory/4352-1-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/4352-2-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/4352-4-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/4352-8-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/4352-9-0x0000000074712000-0x0000000074713000-memory.dmpFilesize
4KB
-
memory/4352-10-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/4352-11-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/4352-12-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB