Analysis
-
max time kernel
103s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06-10-2024 09:12
General
-
Target
406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe
-
Size
2.4MB
-
MD5
56fe028276b80e971a98765a8f7d6b30
-
SHA1
137678251bc0e9bbb5ddae7eddcf92efcf49b99c
-
SHA256
406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88f
-
SHA512
71f3bf21caeb5d3af5b1020e7afe2ba170351d55316baf332adc25c72c820588f8f8be0456d8c3b2b1087a8f64092eac6c3a80afe48acd56bbb4ba2d6895659a
-
SSDEEP
49152:efyZnoUpAg7JfYzl4E3dvrd1B6OWZAW2ROQcverO04T:eKZnVAoJ+l4Ethrp4T
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XGYkmDNjyh.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XGYkmDNjyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA836.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"C:\Users\Admin\AppData\Local\Temp\406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88fN.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB4E8.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB612.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XGYkmDNjyh.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XGYkmDNjyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE81E.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD556fe028276b80e971a98765a8f7d6b30
SHA1137678251bc0e9bbb5ddae7eddcf92efcf49b99c
SHA256406f6aaed7ee453c105b4dc2737c6a2a5fe982991cc69d81cd3f97b54382b88f
SHA51271f3bf21caeb5d3af5b1020e7afe2ba170351d55316baf332adc25c72c820588f8f8be0456d8c3b2b1087a8f64092eac6c3a80afe48acd56bbb4ba2d6895659a
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD53c2921e80b63706f076e4c34a1f31d0b
SHA1ae150823328cceff081e3c6de3f256ee43bd1faf
SHA2565916a81eff85734114b3cac871df5d72ccf25e965a5f44850fcd0ccd00899294
SHA512e192cfa11020d0118301840e14cce7b944d3d0b448b19d5dde20a6251565fc2f5cc4cc45a31651e293b318e735293d47cfa2936a8ee6c51196a853a3c7f1447d
-
Filesize
18KB
MD537f22f34d22830c5bdfb812ad1a5fc34
SHA1c71ca83603a0d21adaeadb757dffc5fd05fa5769
SHA2565029e0619809442f539dff52935f6890e1dd14d18e5e6760bbab51d8252c3fb0
SHA512704d20b28c79a91dad2476363a7abb41a55c2a6c161c4cca1268db15fa8c80d57aee59825edf3efc4359ff968401b9ea4619c738e1c31c7d91b3f3d4ea9a59b6
-
Filesize
216KB
MD5e7e9bc0612332b858369c1fe63c51ebd
SHA14ce0ac44b64ac49fac32f671c44cdde7e0554465
SHA256e312f78b9e2a1c9b7bcbed548f09906375329f04c49b62829a3ff0334bcd0ae3
SHA512c4e819dae7d782ce46a2f2fd8de524aa4f35515689b25674f2d84c5ef9c9c50168f63cbb0d698c4376a43ee2835601839172934cc124da78f95e86f4724b4705
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
24KB
MD5bbfdda4c95a7cfdd989a840697487fbf
SHA168e5e7740eecb8e2c082787cf3e95626ffc5f636
SHA25601f8261aa2007c6f296756febd704cd75bbc9bd4bbb17cd2ecba532827d58a81
SHA512b74cd2041ccbe3f426114b38a07c5d7147ae9be64d274293925d6ed81fe502345089c8f769a3744737fffded8702b1efe318a3b2a8e264ffee76d578afed3c00
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD55c5e8456bb32ca2efccde096daa69edd
SHA18139fb23db8f5c44865b2594c4fb518b56085ffa
SHA2561d30f2cc6ed0c842818bc43b84a7f9609cfbf01401345bbaeee67d5fce9a58af
SHA5128c244332372ff82035ee184d62a1f2202c273ba8a24ca8ee876202d616835b78e2f129e4111ce0fa6a77892dd1c9adb6066312dbb7c62f092d8c75b421070e75
-
Filesize
1KB
MD57a8ff09d60a0632c2bb39ffbec978934
SHA1beef4081979a5e1f7c0f9b94f618ef629c156bbc
SHA256f4cfc1339b7a2a37ea581716789b4ed93875acc7dc0e3f434c093bcbeccfff7f
SHA512fdb9638a3f89737e439c4e6b67e955eb8bc773dc86a8bae5905601128ec0990ef821b03ba6f6072527c8e1351c10e0fb658ee7c3a99b9da4e11e4567a637ffda
-
Filesize
1KB
MD593d357e6194c8eb8d0616a9f592cc4bf
SHA15cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA5124df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
992KB
-
Filesize
992KB
-
Filesize
992KB
-
Filesize
992KB
-
Filesize
992KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
1.4MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
1.2MB
-
Filesize
2.5MB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
992KB
-
Filesize
992KB