Analysis

  • max time kernel
    120s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 13:41

General

  • Target

    d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe

  • Size

    203KB

  • MD5

    e426a9d0893cdce46573d438141f9fb0

  • SHA1

    f60b7693a49011ffae17f8404a762deb4c968567

  • SHA256

    d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63

  • SHA512

    b7bcfc00a1746a0e0a6b5ccddd35b3bcdbe797ce0ead7826023bf57cb121b8d6432aef145325689399f5f62619d6d9bc09e3083d5da26b8284c69b04b9d557ab

  • SSDEEP

    6144:MLV6Bta6dtJmakIM5B6V2qhLyNPYTbEjg:MLV6Btpmk6M2uL4YTR

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Nanocore family
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe
    "C:\Users\Admin\AppData\Local\Temp\d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe"
    1⤵
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA529.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA529.tmp

    Filesize

    1KB

    MD5

    13acae57703ce6b052b62e1613f37d36

    SHA1

    87ad9f25db9b98c8e771acf52c518c22b85a9fd2

    SHA256

    d611072d948b1439c61fa0c650e7d97b204fbc737c606548c84d8a627d4403fe

    SHA512

    e1efc9171189b1ac705033f700f042022fd7416f20169d0ae5f89b335fe1b94e287e87d73ad990dbe1c8d05b9bc29afd047ef03fd7791ec12455f697c606afaf

  • memory/4228-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

    Filesize

    4KB

  • memory/4228-1-0x0000000074B90000-0x0000000075141000-memory.dmp

    Filesize

    5.7MB

  • memory/4228-2-0x0000000074B90000-0x0000000075141000-memory.dmp

    Filesize

    5.7MB

  • memory/4228-7-0x0000000074B90000-0x0000000075141000-memory.dmp

    Filesize

    5.7MB

  • memory/4228-8-0x0000000074B92000-0x0000000074B93000-memory.dmp

    Filesize

    4KB

  • memory/4228-9-0x0000000074B90000-0x0000000075141000-memory.dmp

    Filesize

    5.7MB

  • memory/4228-10-0x0000000074B90000-0x0000000075141000-memory.dmp

    Filesize

    5.7MB

  • memory/4228-11-0x0000000074B90000-0x0000000075141000-memory.dmp

    Filesize

    5.7MB