General
-
Target
shipping order#.scr
-
Size
2.7MB
-
Sample
210108-2c6d1ngb16
-
MD5
a916070df947a28ea73074c080189d35
-
SHA1
2c4215352fecfbd74b596f1125177f54cd010a4b
-
SHA256
b657538bf8bc1aca7ca8e7e02f1c5a39cbc8bc343bf7c5ebfe026f6dcc02fe32
-
SHA512
3d5b554c97d6a093f6ce94b8c5d681438f5f4b74df391468e8adf36a7ab2b599b0ee49dcf7c57fb9aab03509d3f6a07747d94e05929eaaf627aa18d170abfc4e
Static task
static1
Behavioral task
behavioral1
Sample
shipping order#.scr
Resource
win7v20201028
Malware Config
Extracted
nanocore
1.2.2.0
1.ispnano.dns-cloud.net:10004
db5d3893-53a7-40c5-9e07-c472ba23289f
-
activate_away_mode
true
-
backup_connection_host
1.ispnano.dns-cloud.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-10-19T23:27:30.974613536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
10004
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
db5d3893-53a7-40c5-9e07-c472ba23289f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
1.ispnano.dns-cloud.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
shipping order#.scr
-
Size
2.7MB
-
MD5
a916070df947a28ea73074c080189d35
-
SHA1
2c4215352fecfbd74b596f1125177f54cd010a4b
-
SHA256
b657538bf8bc1aca7ca8e7e02f1c5a39cbc8bc343bf7c5ebfe026f6dcc02fe32
-
SHA512
3d5b554c97d6a093f6ce94b8c5d681438f5f4b74df391468e8adf36a7ab2b599b0ee49dcf7c57fb9aab03509d3f6a07747d94e05929eaaf627aa18d170abfc4e
-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
6Disabling Security Tools
4Virtualization/Sandbox Evasion
2