Analysis
-
max time kernel
103s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
SWQ7109IR32I.exe
Resource
win10v2004-20250619-en
General
-
Target
SWQ7109IR32I.exe
-
Size
1.2MB
-
MD5
19754a191f2a765e383ceb20d0ebb716
-
SHA1
89a82cab08ebcda1125f88b1d423d0fa3551588a
-
SHA256
2009d690b1953fa11543c8b7003cbab8bd1c84c2ff67947f65fb6d321b8b38f7
-
SHA512
62677c89a8dd573fb0777ecf9a7336b23a32a9078d2e92a03649f74bd983cdf97c36da83a56b91b28b4b409725068db8e81cf0d16048dc19062849507c3dafa5
-
SSDEEP
24576:d5EmXFtKaL4/oFe5T9yyXYfP1ijXdaVD2Tj6IfDmLrdjk:dPVt/LZeJbInQRaVDAj1f6Lh
Malware Config
Extracted
nanocore
1.2.2.0
196.251.83.44:50050
0d1adaa2-a2d2-4c3e-856d-ffe49212022e
-
activate_away_mode
true
-
backup_connection_host
196.251.83.44
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2025-04-05T23:58:57.854206336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
50050
-
default_group
throttle
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0d1adaa2-a2d2-4c3e-856d-ffe49212022e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
196.251.83.44
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Nanocore family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs schoollike.exe -
Executes dropped EXE 1 IoCs
pid Process 3700 schoollike.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000024087-9.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3700 set thread context of 536 3700 schoollike.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SWQ7109IR32I.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schoollike.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 536 RegSvcs.exe 536 RegSvcs.exe 536 RegSvcs.exe 536 RegSvcs.exe 536 RegSvcs.exe 536 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 536 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3700 schoollike.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 536 RegSvcs.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 6064 wrote to memory of 3700 6064 SWQ7109IR32I.exe 88 PID 6064 wrote to memory of 3700 6064 SWQ7109IR32I.exe 88 PID 6064 wrote to memory of 3700 6064 SWQ7109IR32I.exe 88 PID 3700 wrote to memory of 536 3700 schoollike.exe 89 PID 3700 wrote to memory of 536 3700 schoollike.exe 89 PID 3700 wrote to memory of 536 3700 schoollike.exe 89 PID 3700 wrote to memory of 536 3700 schoollike.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6064 -
C:\Users\Admin\AppData\Local\translucently\schoollike.exe"C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD519754a191f2a765e383ceb20d0ebb716
SHA189a82cab08ebcda1125f88b1d423d0fa3551588a
SHA2562009d690b1953fa11543c8b7003cbab8bd1c84c2ff67947f65fb6d321b8b38f7
SHA51262677c89a8dd573fb0777ecf9a7336b23a32a9078d2e92a03649f74bd983cdf97c36da83a56b91b28b4b409725068db8e81cf0d16048dc19062849507c3dafa5