nanocore | 406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88f

Analysis

max time kernel
113s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
Size

2.4MB
MD5

56fe028276b80e971a98765a8f7d6b30
SHA1

137678251bc0e9bbb5ddae7eddcf92efcf49b99c
SHA256

406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88f
SHA512

71f3bf21caeb5d3af5b1020e7afe2ba170351d55316baf332adc25c72c820588f8f8be0456d8c3b2b1087a8f64092eac6c3a80afe48acd56bbb4ba2d6895659a
SSDEEP

49152:efyZnoUpAg7JfYzl4E3dvrd1B6OWZAW2ROQcverO04T:eKZnVAoJ+l4Ethrp4T

Score

10^/10

nanocore discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

hostresultkey.duckdns.org:55477

127.0.0.1:55477

Mutex

e892e35e-8ddc-4c7d-814b-d3eb1aa69104

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-06-06T13:04:07.487300236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
55477
default_group
sale
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e892e35e-8ddc-4c7d-814b-d3eb1aa69104
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
hostresultkey.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2336	powershell.exe
2632	powershell.exe
2168	powershell.exe
2036	powershell.exe

Executes dropped EXE 5 IoCs

Processes:

._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exeSynaptics.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2944	Synaptics.exe
1532	Synaptics.exe
2160	Synaptics.exe
852	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

Processes:

406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exeSynaptics.exe

pid	Process
804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2160	Synaptics.exe
2160	Synaptics.exe
2160	Synaptics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Monitor = "C:\\Program Files (x86)\\IMAP Monitor\\imapmon.exe"	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exeSynaptics.exe

description	pid	Process	procid_target
PID 2884 set thread context of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2944 set thread context of 2160	2944	Synaptics.exe	51

Drops file in Program Files directory 2 IoCs

Processes:

._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

description	ioc	Process
File created	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
File opened for modification	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exepowershell.exeschtasks.exeschtasks.exepowershell.exeschtasks.exeSynaptics.exepowershell.exeschtasks.exe._cache_Synaptics.exe._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exepowershell.exeSynaptics.exeEXCEL.EXE406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2592	schtasks.exe
680	schtasks.exe
876	schtasks.exe
1884	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2900	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exe._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exepowershell.exeSynaptics.exepowershell.exe

pid	Process
2632	powershell.exe
2336	powershell.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2168	powershell.exe
2944	Synaptics.exe
2944	Synaptics.exe
2036	powershell.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

pid	Process
2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exe._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exepowershell.exeSynaptics.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2944	Synaptics.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2900	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exeSynaptics.exe

description	pid	Process	procid_target
PID 2884 wrote to memory of 2336	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	30
PID 2884 wrote to memory of 2336	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	30
PID 2884 wrote to memory of 2336	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	30
PID 2884 wrote to memory of 2336	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	30
PID 2884 wrote to memory of 2632	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	32
PID 2884 wrote to memory of 2632	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	32
PID 2884 wrote to memory of 2632	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	32
PID 2884 wrote to memory of 2632	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	32
PID 2884 wrote to memory of 2592	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	34
PID 2884 wrote to memory of 2592	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	34
PID 2884 wrote to memory of 2592	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	34
PID 2884 wrote to memory of 2592	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	34
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 2884 wrote to memory of 804	2884	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	36
PID 804 wrote to memory of 2500	804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	37
PID 804 wrote to memory of 2500	804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	37
PID 804 wrote to memory of 2500	804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	37
PID 804 wrote to memory of 2500	804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	37
PID 804 wrote to memory of 2944	804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	38
PID 804 wrote to memory of 2944	804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	38
PID 804 wrote to memory of 2944	804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	38
PID 804 wrote to memory of 2944	804	406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	38
PID 2500 wrote to memory of 680	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	39
PID 2500 wrote to memory of 680	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	39
PID 2500 wrote to memory of 680	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	39
PID 2500 wrote to memory of 680	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	39
PID 2500 wrote to memory of 876	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	41
PID 2500 wrote to memory of 876	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	41
PID 2500 wrote to memory of 876	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	41
PID 2500 wrote to memory of 876	2500	._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe	41
PID 2944 wrote to memory of 2168	2944	Synaptics.exe	44
PID 2944 wrote to memory of 2168	2944	Synaptics.exe	44
PID 2944 wrote to memory of 2168	2944	Synaptics.exe	44
PID 2944 wrote to memory of 2168	2944	Synaptics.exe	44
PID 2944 wrote to memory of 2036	2944	Synaptics.exe	46
PID 2944 wrote to memory of 2036	2944	Synaptics.exe	46
PID 2944 wrote to memory of 2036	2944	Synaptics.exe	46
PID 2944 wrote to memory of 2036	2944	Synaptics.exe	46
PID 2944 wrote to memory of 1884	2944	Synaptics.exe	47
PID 2944 wrote to memory of 1884	2944	Synaptics.exe	47
PID 2944 wrote to memory of 1884	2944	Synaptics.exe	47
PID 2944 wrote to memory of 1884	2944	Synaptics.exe	47
PID 2944 wrote to memory of 1532	2944	Synaptics.exe	50
PID 2944 wrote to memory of 1532	2944	Synaptics.exe	50
PID 2944 wrote to memory of 1532	2944	Synaptics.exe	50
PID 2944 wrote to memory of 1532	2944	Synaptics.exe	50
PID 2944 wrote to memory of 2160	2944	Synaptics.exe	51
PID 2944 wrote to memory of 2160	2944	Synaptics.exe	51
PID 2944 wrote to memory of 2160	2944	Synaptics.exe	51
PID 2944 wrote to memory of 2160	2944	Synaptics.exe	51
PID 2944 wrote to memory of 2160	2944	Synaptics.exe	51
PID 2944 wrote to memory of 2160	2944	Synaptics.exe	51
PID 2944 wrote to memory of 2160	2944	Synaptics.exe	51
PID 2944 wrote to memory of 2160	2944	Synaptics.exe	51

C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
"C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XGYkmDNjyh.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XGYkmDNjyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97EC.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
  "C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "IMAP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9CEB.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:680
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "IMAP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9D2A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:876
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XGYkmDNjyh.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XGYkmDNjyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC06.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1884
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:1532
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.4MB

MD5
56fe028276b80e971a98765a8f7d6b30

SHA1
137678251bc0e9bbb5ddae7eddcf92efcf49b99c

SHA256
406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88f

SHA512
71f3bf21caeb5d3af5b1020e7afe2ba170351d55316baf332adc25c72c820588f8f8be0456d8c3b2b1087a8f64092eac6c3a80afe48acd56bbb4ba2d6895659a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMOzHccB.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp97EC.tmp

Filesize
1KB

MD5
d23a0838d6861116fc2a63ac2db98989

SHA1
c25a8d2fa365ab242adbc27300c8010aa6f8aa31

SHA256
bb69aab52ed6ef4836ac9224fde4f2417e2889fbe4b69f1a0c23748505e5f9e6

SHA512
9b1f1bc11cde4f711143496a8a88a10a336f49c7dd0742c66ceba42d00bdbbad1e91734f84848042d322051886c72c71bfc2bdfc094c26b6e4bf6d08da53fa7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CEB.tmp

Filesize
1KB

MD5
7a8ff09d60a0632c2bb39ffbec978934

SHA1
beef4081979a5e1f7c0f9b94f618ef629c156bbc

SHA256
f4cfc1339b7a2a37ea581716789b4ed93875acc7dc0e3f434c093bcbeccfff7f

SHA512
fdb9638a3f89737e439c4e6b67e955eb8bc773dc86a8bae5905601128ec0990ef821b03ba6f6072527c8e1351c10e0fb658ee7c3a99b9da4e11e4567a637ffda

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D2A.tmp

Filesize
1KB

MD5
d2d6911d94b06e405e7687a2437eafec

SHA1
9f28f9e7d8d5179d44ddaa6ca266984ed7521dea

SHA256
2dc87169ad53fbdd7abb08f49777cb8fb05adbff4e6f6616b4c89942af8cad0f

SHA512
b5983de701ff98e944283a25f1770c1e792d52148dc1671f1d19203f8b9d10b056abcf79a17ca536a5f88ccf52f6445d8f3e75fce628666640ad8bad697dcfd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a469c717c5c6c19f5556bef5f3b067d9

SHA1
679aef76b30988b0fce964fc9c91e9ce668b9cca

SHA256
d332e9a6fd861d5e10cf279d83926508b7532c75389abb736dbf5447d1566b83

SHA512
abac59de701af814c02eab10e7a9ea3242e01329dbd78fceeeccf56150e217e2136c14269d929fe7a045b900f3ca73ac1db4620032e6458673d61da0719ec99b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1ed8db95c60de341d0b07d6a67f2b291

SHA1
ce4325f5570ed04c1405f75a7c5ae24e000f3cc2

SHA256
61522e8c5a254127061710c761b551cb50bf4d1aa99cb1d56cf58f0d21da7b49

SHA512
5bd333fa701df4fcbca8e9c73a2fd1212aa646cdf8e72608e78f7ae11950da43c6a0e83132f62e11c3c56dc0b8ae966c2bd32508095a609fc9c8297c4c3654f0

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe

Filesize
216KB

MD5
e7e9bc0612332b858369c1fe63c51ebd

SHA1
4ce0ac44b64ac49fac32f671c44cdde7e0554465

SHA256
e312f78b9e2a1c9b7bcbed548f09906375329f04c49b62829a3ff0334bcd0ae3

SHA512
c4e819dae7d782ce46a2f2fd8de524aa4f35515689b25674f2d84c5ef9c9c50168f63cbb0d698c4376a43ee2835601839172934cc124da78f95e86f4724b4705

Download Submit
memory/804-28-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/804-26-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/804-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/804-37-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/804-22-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/804-30-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/804-38-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/804-24-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/804-34-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/804-33-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2160-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-104-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2160-169-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2160-139-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2160-138-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2160-137-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2884-3-0x0000000005240000-0x00000000053A4000-memory.dmp

Filesize
1.4MB

Download
memory/2884-4-0x0000000000610000-0x000000000062A000-memory.dmp

Filesize
104KB

Download
memory/2884-0-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/2884-2-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-5-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/2884-9-0x00000000055E0000-0x000000000571A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-1-0x0000000000D30000-0x0000000000FA4000-memory.dmp

Filesize
2.5MB

Download
memory/2884-6-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-8-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2884-7-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2884-41-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2944-66-0x0000000000F70000-0x00000000011E4000-memory.dmp

Filesize
2.5MB

Download