Analysis
-
max time kernel
103s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-01-2025 05:24
General
-
Target
uwu.exe
-
Size
203KB
-
MD5
5bb8a2313701dc641a35b99e559be51f
-
SHA1
b63370b47c89973ccef0edfe912ab800d0f3779f
-
SHA256
b1ed9465a4e8baab1490a5e1351db0282b8fb0ea67db0abdc47ee006414b480b
-
SHA512
9dce02249363779b245f20965fa74be5ec09b2094d0bb4d96986a0a97e386bc0887d9b1e6703f9e3b8ec89cb97e680a43f3bffc1921d81807bd93c6889e74cf2
-
SSDEEP
6144:MLV6Bta6dtJmakIM5S0cFHkf8wa3PNMGdP:MLV6BtpmkhrH3wKlMG9
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\uwu.exe"C:\Users\Admin\AppData\Local\Temp\uwu.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB258.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB2C6.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f5147cc88383b20862b708b731e610f5
SHA125ea124e5e6e1ee8c41ad210057b22ae9ea2415f
SHA256a515e77af6d7ac781eff610918d833851934fe36f3ed3cdd6ae28ec75351f707
SHA5123ae41da2af9af42ae265fb976fa43513f5dcb4f9e791263561db1fd2aba5f9c900f175decb9998145f51dbf46dd245046cb075858c473b4808b87c700d06167b
-
Filesize
1KB
MD57a81ae69c04c8d95261eb5f490b7f869
SHA19f4f484d306fea15b2e7f9f16db660833bb1f8ce
SHA256ce3933e772f663a834335cc2071e5e7b2d49a065b51d84a259054b8ef663e785
SHA5128260ab83106752a488e164bbed63ef334d34399bc9a5c09a0cfceba6aef48eafe5c64e4dfbd353ac3edfff2523b16c2b0287d34833a293c4436e068fae656de8
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB