Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28-09-2024 10:31
General
-
Target
Red Zone's Proxy Generator/Red Zone's Proxy Generator.exe
-
Size
242KB
-
MD5
82d5d5ce76665e103aa71b07cdfe6303
-
SHA1
2ae80c6398c41a3e260f7bfaad79de7974fe9251
-
SHA256
61edc1adee16976a1b8e6e07c8ab7584bdbc5f876158dca0482489d1d5d26271
-
SHA512
792f9f0a477391e0a6e1357fbddf874bc1b90cd700cbb8539d8e8a18ba7fb904e16f9f42f0ac47ca5608d3d54faa42c3bd446f2720d531039f088cb86b11f870
-
SSDEEP
6144:pLV6Bta6dtJmakIM5stADSOY8GL+1WUQ52F+/8Ej4e9:pLV6Btpmk5u2EGLUcQsEEj4A
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Red Zone's Proxy Generator\Red Zone's Proxy Generator.exe"C:\Users\Admin\AppData\Local\Temp\Red Zone's Proxy Generator\Red Zone's Proxy Generator.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD7F7.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD894.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fdfb7d2b0d4802a895ce13e2b668c0ec
SHA1daec1fd7b68b4a60446f62b795c74d76be49de91
SHA2566d9488d8b9ead09754c327128dcdcd1e623e478a926f24c8b591d2d2a9baace3
SHA512645ac7cc8e8236b5aa067e9c9cd46612ca558037a38958e909c42fa069cf60e0608a547365bf541a3efab91dc9defa1211cbe48a89eb36c5fadeccf6d51bbe54
-
Filesize
1KB
MD55fea24e883e06e4df6d240dc72abf2c5
SHA1d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA51215afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB