General
-
Target
Swift_Processing and monitoring.xlam
-
Size
19KB
-
Sample
210420-96z93sqms6
-
MD5
e776a82944a04d1939e9ce9916c30771
-
SHA1
080948c7533b52301fdaa5d3be8b04d58d24aa12
-
SHA256
aac964b49d6f12b420121a28b5c856e473695e00cb5095b862ea9c0db67ed119
-
SHA512
7c9eebbc93f362ec5173ca1a06c38a920c1cff240974bab882c451fbd08d9c6799dd7c0004f8463f6b4b133bb1beedcd1227fa91feead363272f555cc9852891
Static task
static1
Behavioral task
behavioral1
Sample
Swift_Processing and monitoring.xlam
Resource
win7v20210408
Malware Config
Extracted
http://179.43.140.150/shtq/fack.jpg
Extracted
nanocore
1.2.2.0
poseidon99.ddns.net:47581
127.0.0.1:47581
48a36992-d807-4f82-a5e1-68be3ae0a19f
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-07T12:06:34.811510836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
47581
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
48a36992-d807-4f82-a5e1-68be3ae0a19f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
poseidon99.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Swift_Processing and monitoring.xlam
-
Size
19KB
-
MD5
e776a82944a04d1939e9ce9916c30771
-
SHA1
080948c7533b52301fdaa5d3be8b04d58d24aa12
-
SHA256
aac964b49d6f12b420121a28b5c856e473695e00cb5095b862ea9c0db67ed119
-
SHA512
7c9eebbc93f362ec5173ca1a06c38a920c1cff240974bab882c451fbd08d9c6799dd7c0004f8463f6b4b133bb1beedcd1227fa91feead363272f555cc9852891
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Blocklisted process makes network request
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
Suspicious use of SetThreadContext
-