Analysis
-
max time kernel
283s -
max time network
303s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/07/2025, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
SWQ7109IR32I.exe
Resource
win10v2004-20250619-en
General
-
Target
SWQ7109IR32I.exe
-
Size
1.2MB
-
MD5
19754a191f2a765e383ceb20d0ebb716
-
SHA1
89a82cab08ebcda1125f88b1d423d0fa3551588a
-
SHA256
2009d690b1953fa11543c8b7003cbab8bd1c84c2ff67947f65fb6d321b8b38f7
-
SHA512
62677c89a8dd573fb0777ecf9a7336b23a32a9078d2e92a03649f74bd983cdf97c36da83a56b91b28b4b409725068db8e81cf0d16048dc19062849507c3dafa5
-
SSDEEP
24576:d5EmXFtKaL4/oFe5T9yyXYfP1ijXdaVD2Tj6IfDmLrdjk:dPVt/LZeJbInQRaVDAj1f6Lh
Malware Config
Extracted
nanocore
1.2.2.0
196.251.83.44:50050
0d1adaa2-a2d2-4c3e-856d-ffe49212022e
-
activate_away_mode
true
-
backup_connection_host
196.251.83.44
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2025-04-05T23:58:57.854206336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
50050
-
default_group
throttle
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0d1adaa2-a2d2-4c3e-856d-ffe49212022e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
196.251.83.44
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Nanocore family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs schoollike.exe -
Executes dropped EXE 1 IoCs
pid Process 2304 schoollike.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000200000002a362-9.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2304 set thread context of 4908 2304 schoollike.exe 83 -
Program crash 1 IoCs
pid pid_target Process procid_target 4192 2304 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schoollike.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SWQ7109IR32I.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe 4908 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4908 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2304 schoollike.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4908 RegSvcs.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2304 2604 SWQ7109IR32I.exe 82 PID 2604 wrote to memory of 2304 2604 SWQ7109IR32I.exe 82 PID 2604 wrote to memory of 2304 2604 SWQ7109IR32I.exe 82 PID 2304 wrote to memory of 4908 2304 schoollike.exe 83 PID 2304 wrote to memory of 4908 2304 schoollike.exe 83 PID 2304 wrote to memory of 4908 2304 schoollike.exe 83 PID 2304 wrote to memory of 4908 2304 schoollike.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\translucently\schoollike.exe"C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 7163⤵
- Program crash
PID:4192
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2304 -ip 23041⤵PID:5020
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5988b68722b07f8710bf4ed30d420bb73
SHA1ffef50d91398c272747692fccdd6bef09b73df11
SHA256bf48806a7f2d1e174af9abd1777ad388c4a05b72979d14e385f760dfc0edc73b
SHA512d5fb0f2efa594e9e8b432e07a3f5302c6b8776f07bfbc7dd5e5b1560e990c46dfa27fe3f37e179c5af9b1d3609421ecf7511ddabbc767481857ccaffbf996ee4
-
Filesize
1.2MB
MD519754a191f2a765e383ceb20d0ebb716
SHA189a82cab08ebcda1125f88b1d423d0fa3551588a
SHA2562009d690b1953fa11543c8b7003cbab8bd1c84c2ff67947f65fb6d321b8b38f7
SHA51262677c89a8dd573fb0777ecf9a7336b23a32a9078d2e92a03649f74bd983cdf97c36da83a56b91b28b4b409725068db8e81cf0d16048dc19062849507c3dafa5