nanocore | f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
Size

349KB
MD5

8b8eae7ad113d7ab223a6da5cd36aa94
SHA1

75629e504c538c5186f57e8437872cc2f1d23006
SHA256

f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755
SHA512

d42a55dc53d65dd26aafc8d3edcd81895e8a1678dd8feb3ce45a3e3e21f6dd22d9dd9c1f362436f5634b744f51e61f0b0d6680d5cbf099c630e7dda0bf350030
SSDEEP

6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpID:FB1Q6rpr7MrswfLjGwW5xFdRyJpA

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

bemery2.no-ip.biz:57628

127.0.0.1:57628

Mutex

997af15f-5576-4030-975c-eb3264fb6789

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2015-04-23T21:31:33.540664436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
57628
default_group
grace
enable_debug_mode
true
gc_threshold
1.048576e+08
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+09
mutex
997af15f-5576-4030-975c-eb3264fb6789
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
bemery2.no-ip.biz
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.2
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3056	attrib.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Monitor = "C:\\Program Files (x86)\\IMAP Monitor\\imapmon.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1860	ping.exe
2120	ping.exe
2884	ping.exe
2952	ping.exe
1296	ping.exe
3060	ping.exe
1792	ping.exe
672	ping.exe
1180	ping.exe
2604	ping.exe
848	ping.exe
2472	ping.exe
1808	ping.exe
2616	ping.exe
2644	ping.exe
2080	ping.exe
444	ping.exe
1732	ping.exe
2184	ping.exe
1952	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
1180	ping.exe
1808	ping.exe
1732	ping.exe
2120	ping.exe
2884	ping.exe
2644	ping.exe
2604	ping.exe
2472	ping.exe
672	ping.exe
3060	ping.exe
444	ping.exe
1792	ping.exe
2184	ping.exe
2952	ping.exe
1296	ping.exe
848	ping.exe
1860	ping.exe
2616	ping.exe
1952	ping.exe
2080	ping.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2964	RegAsm.exe
2964	RegAsm.exe
2964	RegAsm.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2964	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
Token: SeDebugPrivilege	2964	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2264	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2884	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	31
PID 2536 wrote to memory of 2884	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	31
PID 2536 wrote to memory of 2884	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	31
PID 2536 wrote to memory of 2884	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	31
PID 2536 wrote to memory of 2616	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	33
PID 2536 wrote to memory of 2616	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	33
PID 2536 wrote to memory of 2616	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	33
PID 2536 wrote to memory of 2616	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	33
PID 2536 wrote to memory of 2644	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	35
PID 2536 wrote to memory of 2644	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	35
PID 2536 wrote to memory of 2644	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	35
PID 2536 wrote to memory of 2644	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	35
PID 2536 wrote to memory of 2604	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	38
PID 2536 wrote to memory of 2604	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	38
PID 2536 wrote to memory of 2604	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	38
PID 2536 wrote to memory of 2604	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	38
PID 2536 wrote to memory of 2184	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	40
PID 2536 wrote to memory of 2184	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	40
PID 2536 wrote to memory of 2184	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	40
PID 2536 wrote to memory of 2184	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	40
PID 2536 wrote to memory of 672	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	42
PID 2536 wrote to memory of 672	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	42
PID 2536 wrote to memory of 672	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	42
PID 2536 wrote to memory of 672	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	42
PID 2536 wrote to memory of 2952	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	44
PID 2536 wrote to memory of 2952	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	44
PID 2536 wrote to memory of 2952	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	44
PID 2536 wrote to memory of 2952	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	44
PID 2536 wrote to memory of 1180	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	46
PID 2536 wrote to memory of 1180	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	46
PID 2536 wrote to memory of 1180	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	46
PID 2536 wrote to memory of 1180	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	46
PID 2536 wrote to memory of 1952	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	48
PID 2536 wrote to memory of 1952	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	48
PID 2536 wrote to memory of 1952	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	48
PID 2536 wrote to memory of 1952	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	48
PID 2536 wrote to memory of 1296	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	50
PID 2536 wrote to memory of 1296	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	50
PID 2536 wrote to memory of 1296	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	50
PID 2536 wrote to memory of 1296	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	50
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 2964	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	52
PID 2536 wrote to memory of 3056	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	53
PID 2536 wrote to memory of 3056	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	53
PID 2536 wrote to memory of 3056	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	53
PID 2536 wrote to memory of 3056	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	53
PID 2536 wrote to memory of 3060	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	54
PID 2536 wrote to memory of 3060	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	54
PID 2536 wrote to memory of 3060	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	54
PID 2536 wrote to memory of 3060	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	54
PID 2536 wrote to memory of 2080	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	57
PID 2536 wrote to memory of 2080	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	57
PID 2536 wrote to memory of 2080	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	57
PID 2536 wrote to memory of 2080	2536	f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe	57

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3056	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
"C:\Users\Admin\AppData\Local\Temp\f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2884
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2616
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2644
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2604
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2184
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:672
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2952
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1180
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1952
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\f975dc18b3843351c4d59384d53ede6af68c25e83da40cb495cd9583afb90755.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3056
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3060
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2080
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:444
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:848
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1860
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2472
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1808
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1792
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1732
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2120
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1824
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2432
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1136
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1904
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:948
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:540
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:664
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2248

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DV.png

Filesize
100KB

MD5
85aa412748cec606260dfc07a2ba0493

SHA1
b1604d7f6a3bea2c716137e93c1b3206e4581595

SHA256
603e434580ef4df688fa85fa8b0bd552fcc06fa7882c1d2789c8c52bce87752f

SHA512
98ffc0676b705619d6fb206459c69cc73de285661971d43311e770898a474c2169749357c3126415f17a19e711badfe0fbbb98f056af8cf99cc6eaad7629a71a

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe

Filesize
349KB

MD5
e42b2588d7350ebef8e22c60ca5f62be

SHA1
432ebbbba6997644e5e173edb31d74fd0eda31da

SHA256
617b73b21a41f53be38d77b4c021ac2f86330880e5a01e58d32670ad4483c57b

SHA512
85f9a4ef37759f58ce01861869fab1a361c7ba14365f26065f5dc068f51cbe81d6ed5267810784aac49e65c304468b52f2348050c6122751b8871c8046260b51

Download Submit
memory/2264-5-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2536-0-0x0000000074661000-0x0000000074662000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-2-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-4-0x0000000004B00000-0x0000000004B02000-memory.dmp

Filesize
8KB

Download
memory/2536-7-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2964-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2964-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2964-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2964-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2964-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2964-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2964-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download