General

  • Target

    3af069d5ff9c683e5c4a13a9cb01d86baf46d058e2add164085093cdb9bd28e4

  • Size

    457KB

  • Sample

    220703-wy724sdha4

  • MD5

    9d9f64b316d0a78f943f9768b0b4b481

  • SHA1

    fbd8f583b3a9da69ad2b39824f95120322f503f7

  • SHA256

    3af069d5ff9c683e5c4a13a9cb01d86baf46d058e2add164085093cdb9bd28e4

  • SHA512

    1af5672f263ab6d27b4a419cb5d1930d116284cf92632b86ffd3475f85e0abf5407f331a75594d9866b8c1f0f38b2f058f59ed838104fcecd02dc9b2ef9dcff1

Malware Config

Targets

    • Target

      INQUIRY NO- 2744.js

    • Size

      2.1MB

    • MD5

      2f3507015138a0ef0d3c91fca1fcf5f2

    • SHA1

      7cf3028b2f73ee9a7474b242721fbf9d1639e6c8

    • SHA256

      bde745851b6cfd0b1f52692ff12873484fc0553f0a4c22976a71404991557655

    • SHA512

      62c2ad91c890f7763063625f8f4dcee4f4eb845de9bd9ea9a65988d9915e55095c77c492848ecd66567c17ddc0d5bada37edc05a89dc0fc6fb1f76568f75aa68

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Tasks