Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 23:56
Behavioral task
behavioral1
Sample
pest.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
pest.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
pest.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
pest.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
pest.exe
-
Size
202KB
-
MD5
3a25b8b57fee2dbe05b915a4ba5a5f23
-
SHA1
d563fc3b01275e873b938a5f08e15809a8ea44b7
-
SHA256
586ed5d88e9c4b4c7d64fdc87c134f464cee29a2c75cd7021195e057dbcfaf1c
-
SHA512
1c7549ae11347dfe60a5db10a169cb5990ba3f1a34a8cdaadd52525bba1c0fad2a932f02f1962289cf02d087d7bcdea9a2d5ac23cc69172dff4a782c82c553a6
-
SSDEEP
6144:QLV6Bta6dtJmakIM5JzxAnuBlMvBZORkl:QLV6BtpmkMxAIFkl
Malware Config
Signatures
-
Nanocore family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe" pest.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pest.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\WPA Service\wpasv.exe pest.exe File opened for modification C:\Program Files (x86)\WPA Service\wpasv.exe pest.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pest.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1736 pest.exe 1736 pest.exe 1736 pest.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1736 pest.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1736 pest.exe Token: SeDebugPrivilege 1736 pest.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pest.exe"C:\Users\Admin\AppData\Local\Temp\pest.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1736