Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28-09-2024 10:31
General
-
Target
Red Zone's Proxy Generator/Red Zone's Proxy Generator.exe
-
Size
242KB
-
MD5
82d5d5ce76665e103aa71b07cdfe6303
-
SHA1
2ae80c6398c41a3e260f7bfaad79de7974fe9251
-
SHA256
61edc1adee16976a1b8e6e07c8ab7584bdbc5f876158dca0482489d1d5d26271
-
SHA512
792f9f0a477391e0a6e1357fbddf874bc1b90cd700cbb8539d8e8a18ba7fb904e16f9f42f0ac47ca5608d3d54faa42c3bd446f2720d531039f088cb86b11f870
-
SSDEEP
6144:pLV6Bta6dtJmakIM5stADSOY8GL+1WUQ52F+/8Ej4e9:pLV6Btpmk5u2EGLUcQsEEj4A
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Red Zone's Proxy Generator\Red Zone's Proxy Generator.exe"C:\Users\Admin\AppData\Local\Temp\Red Zone's Proxy Generator\Red Zone's Proxy Generator.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBB12.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBB62.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fdfb7d2b0d4802a895ce13e2b668c0ec
SHA1daec1fd7b68b4a60446f62b795c74d76be49de91
SHA2566d9488d8b9ead09754c327128dcdcd1e623e478a926f24c8b591d2d2a9baace3
SHA512645ac7cc8e8236b5aa067e9c9cd46612ca558037a38958e909c42fa069cf60e0608a547365bf541a3efab91dc9defa1211cbe48a89eb36c5fadeccf6d51bbe54
-
Filesize
1KB
MD5afb71a33ece3758f782f052bbe5da94f
SHA1e69b9070ff52f81fdf01a40f775d021e4b4e71e4
SHA256abd73bfca8458750ee751d4c6c106d54dcf0969592f476acc64ab0d7f2bb1978
SHA51222c45992ca358ca9d4605ac426b65903b11b27db1b9c608739245dc412aa256d0908566626b3cfdafb32fca0809bf46c8824ab98cea7b7662216c915e6ef013f
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB