Analysis Overview
SHA256
f65d1cded5374ab70cfb0f316f045bc01a0f7dba4cb1cb1edf19a923282b525d
Threat Level: Known bad
The file 350d5e7320be3cf579bf1afacdbb46c0N.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 02:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 02:06
Reported
2024-08-05 02:08
Platform
win7-20240705-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
NanoCore
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1904 set thread context of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VsRwbjnFmPB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp"
C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
Files
memory/1904-0-0x0000000074E21000-0x0000000074E22000-memory.dmp
memory/1904-1-0x0000000074E20000-0x00000000753CB000-memory.dmp
memory/1904-2-0x0000000074E20000-0x00000000753CB000-memory.dmp
memory/1904-3-0x0000000074E20000-0x00000000753CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp
| MD5 | 09a669719a8aef5a1830387b41feaaba |
| SHA1 | dcae3f4a7d37dd475c248fed96c32a3b18684b01 |
| SHA256 | 122d53a5f99860ab687e68bf5c9e4be1d3e0f06307a1157f214f4749e6f2f360 |
| SHA512 | a0eba5e54e8a16bb1ad012475650752dbd3cda12a16d6067d66fac214c39d7bbd510c57788512a303877dbe9573bbb5a13cac23cfae660010de3c872671adaf9 |
memory/2652-9-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2652-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2652-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2652-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2652-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2652-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2652-21-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2652-19-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2652-25-0x0000000074E20000-0x00000000753CB000-memory.dmp
memory/2652-24-0x0000000074E20000-0x00000000753CB000-memory.dmp
memory/1904-26-0x0000000074E20000-0x00000000753CB000-memory.dmp
memory/2652-28-0x0000000074E20000-0x00000000753CB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 02:06
Reported
2024-08-05 02:08
Platform
win10v2004-20240802-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4992 set thread context of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VsRwbjnFmPB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E43.tmp"
C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
| US | 8.8.8.8:53 | savagesquad.ooguy.com | udp |
Files
memory/4992-0-0x0000000074D62000-0x0000000074D63000-memory.dmp
memory/4992-1-0x0000000074D60000-0x0000000075311000-memory.dmp
memory/4992-2-0x0000000074D60000-0x0000000075311000-memory.dmp
memory/4992-3-0x0000000074D62000-0x0000000074D63000-memory.dmp
memory/4992-4-0x0000000074D60000-0x0000000075311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7E43.tmp
| MD5 | 6fdc6da05762a26f3ef1cd3283b47a72 |
| SHA1 | 68e2780e8dfcf37796d7ef1287fd2559b3a50d8c |
| SHA256 | 99bdefc451c9ffad51d709944906ccc7c651c1e44e908bc40bc5f581651defbf |
| SHA512 | 3e07e3d22296c4ea70aced2793f036f1df8bdb4bdbb675551a15d213bd252175052c774777fab4f14d9f2598fb59e406a8bd09968d536e2ef6f8827b390f58bd |
memory/3060-10-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\350d5e7320be3cf579bf1afacdbb46c0N.exe.log
| MD5 | 49461f799113a05a28d6b992090c22ce |
| SHA1 | 4049a26ca32ff9ed84fd748b75b36b73e17510ce |
| SHA256 | efa0ab0bd196baf69522d0e11a8bb384a1f0e1806590db7b6ed34abcf6faf5c3 |
| SHA512 | dffd0fc9f13c5821f9a55bbfb0e1cb980b29903228805fda0331de68ef1ecfa7e716ebcb50c1a2429e5373f6c9e31977472e04769adf9feac8c7fe10f1814bc5 |
memory/4992-13-0x0000000074D60000-0x0000000075311000-memory.dmp
memory/3060-14-0x0000000074D60000-0x0000000075311000-memory.dmp
memory/3060-15-0x0000000074D60000-0x0000000075311000-memory.dmp
memory/3060-17-0x0000000074D60000-0x0000000075311000-memory.dmp
memory/3060-18-0x0000000074D60000-0x0000000075311000-memory.dmp
memory/3060-19-0x0000000074D60000-0x0000000075311000-memory.dmp