Overview

overview

10

Static

static

10

sd.exe

windows7-x64

10

sd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    23-06-2024 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sd.exe

  • Size

    203KB

  • MD5

    cb57bb7b429df360f87e1e83566ff9a7

  • SHA1

    8d03c9d0b486d0fcd2e271e0902039cdb0480705

  • SHA256

    1be5176e2bdc3b3434e8dc95c902e0cfaaaf7a23fc8203b413effc121011ad30

  • SHA512

    1859e20474b69aa658f723c08c6543505ebe1843d1b6eee401fb7688821485397e5d20b7589be81d4f0ad7071120be6b9595bfe82e096c85126dc282472f47b8

  • SSDEEP

    6144:sLV6Bta6dtJmakIM5O/Uj1i3VmcHhyT9O+PjmdR/Fyr:sLV6BtpmkV/UJilzHhUO+yd6

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sd.exe
    "C:\Users\Admin\AppData\Local\Temp\sd.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp29BF.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2516
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2A3D.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2664
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\image.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ae2504678871cb19b84b2401270c06e2

    SHA1

    75d6a85b06d2ee5fff03aa75205f1581353dc47c

    SHA256

    a30b4d6b26cdbd919c5e01ec739c3f169808476f13b2f002fe190106a185bc9c

    SHA512

    a55f1a4215a6ae70e31c8e164fffa881d24029be15879efd4231f6f62eb2c559aad72071578e13093af49cbc5a5abbea9dff26187b74421a3bc3c129c3482bc9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2a86c2293c4ffcc2d72e6ffe6410be39

    SHA1

    a4489b4da39c8cd46b273f0a2cbe8fa7722534a1

    SHA256

    8a40bc7e82be520f30466fa8604e1505766d8b18695cba2d00643a7903fe0f8d

    SHA512

    0f196bea1b4aa1ff4b0e9779da6a3bc44c3b72a38ff7bf0c1509feb69d0c15101a678e40734d692e25d84b1cf2818db08821e6086c989daf543a40425c4e60cb

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    543c256ff6613ad4f0b6582833492251

    SHA1

    dce8a8b3bdaae27ad0dc533b919a241e24e245e3

    SHA256

    01b92920462597c836a54018fee8c44f926e449e38303b5c53654c36bca8aa99

    SHA512

    4d47458f1eccff7f71157d129a5dc080dc8b4223c5233809007572936efed392dce433caabbaa058b424afe87d967a1393212963ba619257b0005f5c55f3a41a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5a10634ba1240bf658e5b1410040f3a4

    SHA1

    ec05afa39b17eb2d110f1a6b44dbeebcecade6df

    SHA256

    389d3fb3e6a0c5370f11e94be37d6a25e9a8a8415c8a9087b413afafe2df7d78

    SHA512

    91d0e29de195bd9b68740c779b46fa9e40dd9d84c8e7d772b1c5985f31261f4e279c639dbcb2ba10a1165d24c09eb96444792b552d0495c249e2c855c6719e96

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    05e57fee8c3c21aca202ba17f3db711e

    SHA1

    0bc0fac315cef4861a1aead69b9d2177882978d1

    SHA256

    d183a10f388940b3a1e391e81378539997b7521648dc51e0e0619730cfb8f55a

    SHA512

    2546330811f63af8a29fbdb7f777647c445fec1cc1b8c45ec77c5b1eca3d122aa2bf9f81554eafd735fdaa47d421fb9df1143a3656b46b2d1f94903af3842bd2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c87b5d74244e7edce82b927529cb9104

    SHA1

    d416a35d3db19ade1ab620ae050700e3f3d1cd97

    SHA256

    ea49cbf230769ded3a2caccac14cbd3f889c72885eadf5a5d0c75a9dd74e9e73

    SHA512

    47d4351bda904eaa842b4734e417a800201107e3b321644c1ca5d87609f80dcffeb3d6c8ac23be1f2d77f2525f5ff2555083aa3c249fd478d156d67816ae8bf3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e6a9d1205a77e088eb7835865c7b4b8e

    SHA1

    f750182fbe0ec5670b9fb225ad10f9da52e22c0f

    SHA256

    45a11aeae3088be74c3b1929d9b07c151824d657c8049f67375070cac4211bbb

    SHA512

    ea8e479b494e66601731e2053f42731142714495676af012ec1affb0c617732a3567d76eb53960aaa6a4433eb1aa522805b983025b868ec4c91bdd29a33f7f9c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d9b34eee5626247ca8e03e570c119e6b

    SHA1

    3467822363110e232332c8cf5c9b7755f95edcda

    SHA256

    f24e15e5433edb4297f360c6e35aa9cdbb93b82d643b0f878c07fb9eae232453

    SHA512

    0d3a709313bd60a3454a725c74210c3b783908a114038051311e5d24b3b5dd8581cc76cc2b604a10683c1d7c4d144075727fb0be2f0baa62645efb93a6c85e4f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f6d12049624e8011dda0351095d0c0ec

    SHA1

    89462cdc39d277855bc2b461a3a46f999d14cfe7

    SHA256

    3324277f01c04bfe00fe8bdc1ecfc16fbf365db86b65db558ad00eef72671a03

    SHA512

    77ce0bc8a0fb4b964a6a23e9038d3a888cba08b24d2404cde8974a6d1aa6478ef72a191831ebcd5f84242cac3c680b7c6551ead26ec90f10ad232911a8ef270d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab11BF.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar12A3.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\image.gif
    Filesize

    14KB

    MD5

    2883fecb93bd0f19e05b9d397149b2ca

    SHA1

    9fd918c9d67451a0726189807891949aee538414

    SHA256

    372886c9978c664cc9e0fc3c74aa89b946c40a8de2e9e848ddf8796f8fcc2303

    SHA512

    281683324e4458e0d6a8758f9ea3d4471a610dcb8e925c5a0569e93e3c9616c27fdeb0e6c00fa10aabf0c1e0614c13815f2515b0fd9e67b6641e8c8c019a4d28

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp29BF.tmp
    Filesize

    1KB

    MD5

    f7d890eac080bcc878916c23c4b34c3d

    SHA1

    efa80352399bfd5c91b958dbc45228560e3a2b7e

    SHA256

    a7c1ea9b3651907399af17cb4bbaa5696b6a4f0bdcb04640842fa7af3bf0a670

    SHA512

    a03dfd061d8fe7d01333fbdc641a92d9daa56dd21758ce788ea3a5114de16fcc37acd5f7bb0aaad5b23dc74c50ce51ab80603f429bd61292d81497ce68287085

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp2A3D.tmp
    Filesize

    1KB

    MD5

    4b7ef560289c0f62d0baf6f14f48a57a

    SHA1

    8331acb90dde588aa3196919f6e847f398fd06d1

    SHA256

    062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207

    SHA512

    ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

    Download Submit
  • memory/2872-0-0x0000000074A41000-0x0000000074A42000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2872-14-0x0000000074A40000-0x0000000074FEB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2872-13-0x0000000074A40000-0x0000000074FEB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2872-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2872-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp
    Filesize

    5.7MB

    Download