nanocore | d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Size

3.7MB
MD5

ef284d2e02d57b7090632e1bf06b8fa3
SHA1

85c5c5dc98d3d49478635f1d846761ab21ff7827
SHA256

d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7
SHA512

2d2e4c7d85626be637b5f959b72de9493759adfff7a6e4a7a640f7a02102b68714f039f85570770952f9b7546a6664c0f7879fc5e07ff3a83e630808069dfb57
SSDEEP

3072:WM/ZmolMbeDeDejyCeaev0beJ0kXC0ex75qlyrBmkepbe3eTLe3UzoeyeYHIHO+r:

Score

10^/10

nanocore defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

backu4734.duckdns.org:8092

Mutex

ccf3c62d-d356-4a80-bb94-307bc35a5e01

Attributes

activate_away_mode
false
backup_connection_host
backu4734.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-01-05T15:22:20.555580436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8092
default_group
Backup
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ccf3c62d-d356-4a80-bb94-307bc35a5e01
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
backu4734.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Windows security bypass 2 TTPs 3 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe = "0"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe = "0"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2040	powershell.exe
2932	powershell.exe
2816	powershell.exe

Windows security modification 2 TTPs 4 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe = "0"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe = "0"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fKffdGf3c164N7699460bb1fcTjd45OP4lacryvp3Ofa9 = "C:\\Windows\\Cursors\\dbe9ct81Se8a4fj44Ve\\svchost.exe"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe"	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WPA Service\wpasv.exe	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
File opened for modification	C:\Program Files (x86)\WPA Service\wpasv.exe	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
File opened for modification	C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2684	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2816	powershell.exe
2932	powershell.exe
2040	powershell.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
Token: SeDebugPrivilege	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2040	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	31
PID 2356 wrote to memory of 2040	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	31
PID 2356 wrote to memory of 2040	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	31
PID 2356 wrote to memory of 2040	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	31
PID 2356 wrote to memory of 2932	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	33
PID 2356 wrote to memory of 2932	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	33
PID 2356 wrote to memory of 2932	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	33
PID 2356 wrote to memory of 2932	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	33
PID 2356 wrote to memory of 2816	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	34
PID 2356 wrote to memory of 2816	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	34
PID 2356 wrote to memory of 2816	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	34
PID 2356 wrote to memory of 2816	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	34
PID 2356 wrote to memory of 2896	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	37
PID 2356 wrote to memory of 2896	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	37
PID 2356 wrote to memory of 2896	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	37
PID 2356 wrote to memory of 2896	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	37
PID 2896 wrote to memory of 2684	2896	cmd.exe	39
PID 2896 wrote to memory of 2684	2896	cmd.exe	39
PID 2896 wrote to memory of 2684	2896	cmd.exe	39
PID 2896 wrote to memory of 2684	2896	cmd.exe	39
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2356 wrote to memory of 2708	2356	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	40
PID 2708 wrote to memory of 2700	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	41
PID 2708 wrote to memory of 2700	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	41
PID 2708 wrote to memory of 2700	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	41
PID 2708 wrote to memory of 2700	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	41
PID 2708 wrote to memory of 752	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	43
PID 2708 wrote to memory of 752	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	43
PID 2708 wrote to memory of 752	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	43
PID 2708 wrote to memory of 752	2708	d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe	43

C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
"C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe"
1⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\dbe9ct81Se8a4fj44Ve\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe
  "C:\Users\Admin\AppData\Local\Temp\d3d5963442e6c36209ec3b38d4e16600283423af9c2a212291bb6cd7e8a837e7.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFED8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2700
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp38B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp38B.tmp

Filesize
1KB

MD5
21de6c3a6440d917bdbb4b491191d9b2

SHA1
c63c300affe7147910dc4544d2d5f3029bf321a6

SHA256
23af17733a3882cdd82a5bbc321d896b2430dc1bb4b4ac034d129cde5027afc4

SHA512
dcd1c464ed36593b990e072940ab415804ef8076743015fff4939211e30e436beb7ce6af3072769abe0214f737cedb210d2b45e6e90da20dac54c3945b11575f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFED8.tmp

Filesize
1KB

MD5
3fbf14339a82779a96ebe15d61e84dc7

SHA1
11a57b2c1bfb3559d4b2d09054d4fa63912d260c

SHA256
c9f9a132e24f96a42e87d7e5596f991666c4c208fd5eceddb14b8202f30e0b9a

SHA512
94f2a2d8982183cf69ae981da42b47b97d3db46b7612c8eeddf348d27c4b4c0a8e0cdc8e42f17da826673dda75e24d7e8e0e3be9690f455dca70ada0d5eeb429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8610bbc2ea4c4a2f7bd8b12688c09c36

SHA1
029cc5ac8ecd8e75dd55c8aa29e6144e68e7efed

SHA256
9e33331179404ac5cdda99dd8869087ff2e804966d170fc8a2c48014f3cd6996

SHA512
723e44093a0d6bbd86863c7a6702a15690d2de6f046e89cd9bd7c2510e417981c499f64d7fd0fe2cde306852d73cfa6d2c65b66d7b92e791de04144ac54a9ea8

Download Submit
memory/2356-30-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2356-1-0x0000000000F20000-0x00000000012D2000-memory.dmp

Filesize
3.7MB

Download
memory/2356-2-0x0000000000B50000-0x0000000000BEC000-memory.dmp

Filesize
624KB

Download
memory/2356-3-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/2356-31-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-26-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2708-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2708-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2708-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2708-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2708-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2708-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2708-39-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2708-40-0x0000000000540000-0x000000000055E000-memory.dmp

Filesize
120KB

Download
memory/2708-41-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download