b00d0a0f78fcce81c653972072faf8bcacba8967d5bfa97ad88bfc90d54d0eaf

Resubmissions

01-08-2024 21:24

240801-z9cxws1cjd 9

31-07-2024 11:45

240731-nwq2ta1enn 9

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node_manager-ns.exe
Size

172.1MB
MD5

5e7f3dcababac06d45edcf9be7390f5d
SHA1

f4de2d65b2944e19685b1b11efa13f6a6cfdb535
SHA256

039a72b85d6fa3f5cf6d9295637ad7b7d2c0c466544379e2852a58bc9cdf2c78
SHA512

86100b0ebac55d68728a8cdee240a32a0d27eb1a8c79b424aafded95c51f3c60298b4bcb8b8067ce4a9b98230e99c7102a2e2427c981dddd86e7515b3f4b98b2
SSDEEP

1572864:OOzoFp1uzWYCKLT08vzzFN3hK7hYOWFZdL3m4aazO3+v591RxmLVhe:uub7xmL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	node_manager-ns.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	node_manager-ns.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1824	node_manager-ns.exe
1824	node_manager-ns.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe
Token: SeShutdownPrivilege	2752	node_manager-ns.exe
Token: SeCreatePagefilePrivilege	2752	node_manager-ns.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2752	node_manager-ns.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 5076	2752	node_manager-ns.exe	84
PID 2752 wrote to memory of 5076	2752	node_manager-ns.exe	84
PID 5076 wrote to memory of 1048	5076	cmd.exe	86
PID 5076 wrote to memory of 1048	5076	cmd.exe	86
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1200	2752	node_manager-ns.exe	87
PID 2752 wrote to memory of 1328	2752	node_manager-ns.exe	88
PID 2752 wrote to memory of 1328	2752	node_manager-ns.exe	88
PID 2752 wrote to memory of 1824	2752	node_manager-ns.exe	93
PID 2752 wrote to memory of 1824	2752	node_manager-ns.exe	93

C:\Users\Admin\AppData\Local\Temp\node_manager-ns.exe
"C:\Users\Admin\AppData\Local\Temp\node_manager-ns.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:1048
- C:\Users\Admin\AppData\Local\Temp\node_manager-ns.exe
  "C:\Users\Admin\AppData\Local\Temp\node_manager-ns.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\node_manager" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,16573552121192829492,16082581127828156890,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\node_manager-ns.exe
  "C:\Users\Admin\AppData\Local\Temp\node_manager-ns.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\node_manager" --field-trial-handle=2288,i,16573552121192829492,16082581127828156890,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\node_manager-ns.exe
  "C:\Users\Admin\AppData\Local\Temp\node_manager-ns.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\node_manager" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2680,i,16573552121192829492,16082581127828156890,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c874cf32-e2d9-4e05-aa2f-dedbc9c0ffb3.tmp.node

Filesize
2.2MB

MD5
9694858c580f1ce0b7608aa5f29bcf99

SHA1
b152da6b0870356b5b2d554d6212787cfac3ee29

SHA256
303056c1aeea3851183ba790b90ffb9730113a577e3c6b4ef1fc740b16f71067

SHA512
4197cda548d7f767ef949ab71e87ee379aae240be140881ed1780c67f77341074b5d5880e0108fff403aa5b1224158c514b92ab3f8c93f6c2d2ad6f7ccb5e9ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\node_manager\Network\Network Persistent State

Filesize
300B

MD5
840e3964b25d2abcf5a1e710487e67eb

SHA1
4aaeb1702ef3f9db98b4700f6022637a5a6be324

SHA256
64a22af6d140f233473f3239f28fbb0b050a1f191637d8ef3069070c4e70d851

SHA512
76c85edd7563a33a944b9c35eb2ac26a0f920b23183a6b2bafb6ba118b007875bb81b4ce025c7d08c508ad9d75f74e2dffbdd684caedef7c62686df05a44e0d5

Download Submit
C:\Users\Admin\AppData\Roaming\node_manager\Network\Network Persistent State~RFe592726.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
memory/1824-71-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-73-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-72-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-77-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-80-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-83-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-82-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-81-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-79-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download
memory/1824-78-0x000002D27E890000-0x000002D27E891000-memory.dmp

Filesize
4KB

Download