General
-
Target
af78c571f5ae340994d3255d16e16c37fdba61b8a64577a05d407ef0868184b3
-
Size
557KB
-
Sample
220521-bp5v6sfcej
-
MD5
90f466af2ee4d760d8e601a964e2db88
-
SHA1
c66c96f5ee29c2bd03730a5739d29e8a6db80067
-
SHA256
af78c571f5ae340994d3255d16e16c37fdba61b8a64577a05d407ef0868184b3
-
SHA512
ec9ebce3962a58962f4923d6ac9cf3e358bf3d82948ea6f4a43ba1dfbfaf11a58ba7408fc132045387ff529daf8948cc3a79af0df23f658099609fc5dfadb9bb
Static task
static1
Behavioral task
behavioral1
Sample
Doc_43795379326436.PDF.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
194.5.97.7:21600
127.0.0.1:21600
e5b96bc8-7801-4aaf-bd22-9b94311755e4
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-22T19:43:27.532173036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
21600
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5b96bc8-7801-4aaf-bd22-9b94311755e4
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.5.97.7
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Doc_43795379326436.PDF.exe
-
Size
669KB
-
MD5
4946bb30cda28a17bf7bf7db7c575512
-
SHA1
5eb81dce4e2c75d9d70593abbad8ed3937c44378
-
SHA256
503b445570a93a7cb69b2d5c17256274a5d8f2086b113229edbc1183f341391c
-
SHA512
d7d14f8c630b05198db66ad8a1b97147f48de055373d44c8467b7fe19097ac6b5e2682f406196446ffad6eabe757795715278930e4bd5e33f9ad3bdebaf2df61
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-