Analysis
-
max time kernel
120s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 13:41
Behavioral task
behavioral1
Sample
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe
Resource
win7-20240903-en
General
-
Target
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe
-
Size
203KB
-
MD5
e426a9d0893cdce46573d438141f9fb0
-
SHA1
f60b7693a49011ffae17f8404a762deb4c968567
-
SHA256
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63
-
SHA512
b7bcfc00a1746a0e0a6b5ccddd35b3bcdbe797ce0ead7826023bf57cb121b8d6432aef145325689399f5f62619d6d9bc09e3083d5da26b8284c69b04b9d557ab
-
SSDEEP
6144:MLV6Bta6dtJmakIM5B6V2qhLyNPYTbEjg:MLV6Btpmk6M2uL4YTR
Malware Config
Signatures
-
Nanocore family
-
Processes:
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exepid process 4228 d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe 4228 d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe 4228 d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exepid process 4228 d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exedescription pid process Token: SeDebugPrivilege 4228 d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exedescription pid process target process PID 4228 wrote to memory of 1780 4228 d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe schtasks.exe PID 4228 wrote to memory of 1780 4228 d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe schtasks.exe PID 4228 wrote to memory of 1780 4228 d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe"C:\Users\Admin\AppData\Local\Temp\d070c972c4f2e88e72b6fc1bd081260a170311528d617080332d78ca27001c63N.exe"1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA529.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD513acae57703ce6b052b62e1613f37d36
SHA187ad9f25db9b98c8e771acf52c518c22b85a9fd2
SHA256d611072d948b1439c61fa0c650e7d97b204fbc737c606548c84d8a627d4403fe
SHA512e1efc9171189b1ac705033f700f042022fd7416f20169d0ae5f89b335fe1b94e287e87d73ad990dbe1c8d05b9bc29afd047ef03fd7791ec12455f697c606afaf