Overview

overview

10

Static

static

10

c00ff750da...17.exe

windows7-x64

10

c00ff750da...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe

  • Size

    452KB

  • MD5

    2d5b4052ba6e888d0a2e8b044bc04651

  • SHA1

    7c23a7ea336ceb57d3c9d43b38b5d7e6b2265443

  • SHA256

    c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17

  • SHA512

    2fa5f0a2dd0d0f13a258aa97a96195b4f63441a79a3d60edf96684ee3c09525e783ea4c28629982420121a6d23099099c76075559fb3d0a86f8e2aa8d91ab5ed

  • SSDEEP

    12288:8LV6BtpmkAuJO+CCSswmAf9CoPhxLz5zACZZ0d:OApfA7+XVwDY0hxLz5sCn0d

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe
    "C:\Users\Admin\AppData\Local\Temp\c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3340
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA019.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp
    Filesize

    1KB

    MD5

    14608f606fdbc8c928fc56a257d4c283

    SHA1

    cc88cc40f7b676fc03f413877066dd2dc51569d7

    SHA256

    c4de491d38884874a17664a071aa3cfb39c2d7de9e24b684813a52577c47615f

    SHA512

    4b3b1496a8f800a4a609d24a7a91589e0377c217b76647f6e38a2367bc51e12106471ae0e06fe09ca00c5c3bb09a5bf42dd370445dd01c17664223f513d395b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpA019.tmp
    Filesize

    1KB

    MD5

    54865f98871478b2b88b7f8aa6100915

    SHA1

    6f8667f1ce25cebee2a7b460668736ff6bcfac54

    SHA256

    287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e

    SHA512

    caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493

    Download Submit

  • memory/4108-0-0x00000000749B2000-0x00000000749B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4108-1-0x00000000749B0000-0x0000000074F61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4108-2-0x00000000749B0000-0x0000000074F61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4108-10-0x00000000749B0000-0x0000000074F61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4108-11-0x00000000749B2000-0x00000000749B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4108-12-0x00000000749B0000-0x0000000074F61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4108-13-0x00000000749B0000-0x0000000074F61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4108-14-0x00000000749B0000-0x0000000074F61000-memory.dmp

    Filesize

    5.7MB

    Download