Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 00:20

General

  • Target

    2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe

  • Size

    647KB

  • MD5

    ff2da6a2d2e29d76e8ee869fa07f7530

  • SHA1

    ece7a717f8a6e7973c78cadf87d6449e116fe9f4

  • SHA256

    2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64d

  • SHA512

    03334e7e0903ba6b4c4611443722f5c8cf07c974b7ca36d7e1a0a62a4c83bb13702d5b3761f72c288d2bf1e0fbcc4a878559a864fe3147ce8f51a00345818721

  • SSDEEP

    12288:ra/rmU5El82jSlI/ExacF3gnxbCEjLz35gRHHi3xED:rav5UjSlI/EPFmOmLz35g9H4xED

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe
    "C:\Users\Admin\AppData\Local\Temp\2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Explorer" & exit
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3272
      • C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe
        "C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe
          "C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:3624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\firewall-tmp.exe.log

    Filesize

    594B

    MD5

    c94dfeb3fce284a48382d77bcc392730

    SHA1

    4e7d49492dae8f169d86d9af95f68a9f9cbd3998

    SHA256

    2f3dbeb392f82563bb0bb8e5a91873fd1fa3bf4fe34e285fcecb8c5cf0530815

    SHA512

    38eb711c5a4399baa16f667d92d41bd02c27bfc06c1ecf1e26c70a92f69318b05cda6146f6e8d4b357084674e3bbc93a5462eb62f28ca05349af6166e8637d13

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Genagxehdojkiicch.bin

    Filesize

    225KB

    MD5

    51f1ce5d176efbe96f90041f021ffc01

    SHA1

    ea0e79728896bdb069a8415e39870e840016a067

    SHA256

    608f68fcb0b4cbb3a2e688757ca461d14a1b15eb183f814fcfbeca882d9d1c6d

    SHA512

    22c19013ee68e7f78633e6e3b1254fe99eb9ad6145dd1c0b0bc6e8dd952405449c55df49ae986d8886d62ce4e18b73764f98c39b806f57c56aadcbca7721619d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ywhrrxoeoaonmsi.bin

    Filesize

    1024KB

    MD5

    7f80c68c6a830a70710814f8f826f4f2

    SHA1

    340d3725bd2fb249ef23b74695383acfc143f518

    SHA256

    59148dbade1cb116605f776b6cad15e7cdd5fe0303cedaef657768face638f3e

    SHA512

    77d3d9a24d815b8f3143a594dab9d07ddc77f40f0f26b9e12a7d22986f7505b3e02efe8bbe4caf2acc050777594e00246532bba39d45c451a68049c79cf8143d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe

    Filesize

    165KB

    MD5

    1c8bfc1aa27be1ef777946a6388ba879

    SHA1

    a375d403558a3e2203237178163f65770f5ac702

    SHA256

    ea6edfbb4f758fedc4e46256a30300bb80479cb854f83c51501e548b51bbfe72

    SHA512

    8eccdd4d58008d6d872e3983242d1118c98583c12894dbee4d5fd6e9528cd7d6d73fad2bbc175a0ba57aa8dc6baae8caad2d816347544bda22adcf9468111d4e

  • memory/2024-16-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB

  • memory/2024-15-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB

  • memory/2024-18-0x0000000072FE2000-0x0000000072FE3000-memory.dmp

    Filesize

    4KB

  • memory/2024-19-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB

  • memory/2024-14-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB

  • memory/2024-13-0x0000000072FE2000-0x0000000072FE3000-memory.dmp

    Filesize

    4KB

  • memory/2024-34-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB

  • memory/3624-37-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/4620-31-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB

  • memory/4620-32-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB

  • memory/4620-33-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB

  • memory/4620-35-0x0000000072FE0000-0x0000000073591000-memory.dmp

    Filesize

    5.7MB