Overview
overview
10Static
static
10FOI/Win10Update.exe
windows7-x64
10FOI/Win10Update.exe
windows10-2004-x64
10FOI/Window...er.exe
windows7-x64
10FOI/Window...er.exe
windows10-2004-x64
10FOI/diagsvc.exe
windows7-x64
10FOI/diagsvc.exe
windows10-2004-x64
10FOI/duggan123.exe
windows7-x64
10FOI/duggan123.exe
windows10-2004-x64
10FOI/imapsv.exe
windows7-x64
10FOI/imapsv.exe
windows10-2004-x64
10FOI/sdiagnhost.exe
windows7-x64
10FOI/sdiagnhost.exe
windows10-2004-x64
10FOI/stordiag.exe
windows7-x64
8FOI/stordiag.exe
windows10-2004-x64
8General
-
Target
FOI.tar.gz
-
Size
974KB
-
Sample
220914-bn5h1shaa7
-
MD5
029a04db023634c4d11b154838f7e305
-
SHA1
3fa27e7df0b73d29b6a9a1bdb22b35f372ff2613
-
SHA256
ca346708475c9cb5a70d7f8e7dde8af2c55ddc174e345c059f2b04d160729f8f
-
SHA512
03a1694736b010830dec5e41fffe321b5166f7ccda9413b5f05bcca61b2a3dcc202a7c37ea42ae556894029d954dca53c921550c116c14042a718844bc9709af
-
SSDEEP
24576:yk6O581sXCzHKf+n7ZrDF2JSsFTBejiqrvA34Pnj:uOvXCzHKf+7FDF5sFhsvOcj
Behavioral task
behavioral1
Sample
FOI/Win10Update.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FOI/Win10Update.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
FOI/WindowsDefender.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
FOI/WindowsDefender.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
FOI/diagsvc.exe
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
FOI/diagsvc.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
FOI/duggan123.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
FOI/duggan123.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
FOI/imapsv.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
FOI/imapsv.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
FOI/sdiagnhost.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
FOI/sdiagnhost.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
FOI/stordiag.exe
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
FOI/stordiag.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
fji673mfa09zhvs.freemyip.com:3827
noan12.noanvaruncorekumar.cf:5525
varunbenchod221234.freemyip.com:7782
37.120.141.153:7782
waf901309oi.freemyip.com:4381
37.120.141.152:4381
nserv.anondns.net:54987
ouff.anondns.net:54987
nc.anondns.net:50951
asy.anondns.net:50951
cf839a08-a0b5-4da0-a9fa-57a034794011
-
activate_away_mode
false
-
backup_connection_host
fji673mfa09zhvs.freemyip.com
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-02-26T18:03:16.268154636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3827
-
default_group
----------------------
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cf839a08-a0b5-4da0-a9fa-57a034794011
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
fji673mfa09zhvs.freemyip.com
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
FOI/Win10Update.exe
-
Size
203KB
-
MD5
2c0e6eec7a917aa21127d4ae6564e7f4
-
SHA1
fd8dddce32bd1ed6ae9f7273e40660eee3d8f7b3
-
SHA256
1daacc43fda4e27bde15a2316edaf6073c7cdbd0d0c23e2ad315345329d062d0
-
SHA512
de87a4d1fdb3697805545569cfde58a4188dd6cb2fbef67633bb59a6e001df136ba9f2e675eb6e5fc7651d2bdd1aa6a2f5bfad2a39ae89225768043c352bc41e
-
SSDEEP
3072:OzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIoR6l9e5YBFUS68fnSpbcsN3KW:OLV6Bta6dtJmakIM5Gi2H5fni/MuQfq
-
Adds Run key to start application
-
-
-
Target
FOI/WindowsDefender.exe
-
Size
202KB
-
MD5
23529193e7df08237d9918ef7ffa06ce
-
SHA1
8d674367585bc549d87bad1842d13e806ace5c46
-
SHA256
d3206e019dbd990c4debeee6e791ef240c3988910b9b628050dfd773ce8f0739
-
SHA512
75b36d8f798211b4bef5d5fcd98a799921049e9bbe2f1dfa6be5c30608f71ec93be2de1c66b37e627bff6f22fe8187ae6a20a486daf13b2231117b160043685c
-
SSDEEP
3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIa0N2B5VEF7D0tyI+AQ10bJG0:wLV6Bta6dtJmakIM5I0BMB6V+AQ1+JX
-
Adds Run key to start application
-
-
-
Target
FOI/diagsvc.exe
-
Size
203KB
-
MD5
db33a945f9bf4d3b2956daf62408ce8d
-
SHA1
bedf9e62f76578a7f51afcaf0ce9d822f62d6735
-
SHA256
9dece137d410f58d20c11d720c6a761020ee57016a5e4cb9dfae106f22d51c85
-
SHA512
88ff29c3de597c272549d827eb94d0c06b8f5ce87408cc4a10bdda7e76b2492b0fbb623d4f3dd5834f20694343d01e8857c496cdb7e894cae8b166693c3e015d
-
SSDEEP
3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIrJdWu5Z6ZhkSyZL1wja73As3K:MLV6Bta6dtJmakIM5a5eGvwjDs/fCsU5
-
Adds Run key to start application
-
-
-
Target
FOI/duggan123.exe
-
Size
203KB
-
MD5
ab7edb633a1922984791a268984beb97
-
SHA1
add0328e7f0db7158b5050f4c38724e699f5f638
-
SHA256
eb1ce1b8311231a2e92d9f1caee3cc9672ce8f434a8c004e43548ecbd8825bc5
-
SHA512
4839a5cb53481b9b589e543584919858cd1aca3a339f35fbdba479c26e525d180e4b62fe5c7248b8f90eb1cc5deb66be84e0890191eefe8138ac0eb21872011e
-
SSDEEP
3072:uzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIyTUHnWi8DnkE/pnQD/2uDEm+0:uLV6Bta6dtJmakIM5boSDnkEuCuI1Xu
-
Adds Run key to start application
-
-
-
Target
FOI/imapsv.exe
-
Size
203KB
-
MD5
5d55fcab603a4d98fe8b0bdff27fc7e4
-
SHA1
6ccf3458ae414dd136ccc22e8cfd9497b73e624c
-
SHA256
80cbb1f3837b4736acdb6df2aebc415d847f649937613802511a8307556d0f58
-
SHA512
30e11dc93cc7167158592e1af09811ba6d8c72beadcd3252d2f2b748f51bcfd653b67e5444d12deb3f811f4c404fe6ed95e39122a079444766782b70daa10e3e
-
SSDEEP
6144:SLV6Bta6dtJmakIM5+SxxV2Pvj3Y+w5A:SLV6Btpmkg2PvT
-
Adds Run key to start application
-
-
-
Target
FOI/sdiagnhost.exe
-
Size
210KB
-
MD5
9f9f4aac7e44028bace0030dafc0f847
-
SHA1
894fc0c296d277020050ca31e6e928410d18337a
-
SHA256
7de2be3dd820e996acb9dc3a2cb71b149a385efa74602f82c0f0d64c89de550c
-
SHA512
4ca5ee9939eb005145022d680d0a7948a4d9246393ff9ddd906db9c79d36e51df76b22a6eeb91df121ccb012ec864a26d8f3e3b287e0985421e4b42ef8b20729
-
SSDEEP
6144:MLV6Bta6dtJmakIM5QBGVW+qZgB6TX7PihC2h:MLV6Btpmkfkf+z74Lh
-
Adds Run key to start application
-
-
-
Target
FOI/stordiag.exe
-
Size
32KB
-
MD5
d3815ad86347cbb32de4416acb943eff
-
SHA1
4018a5deb3d61c8c4827b76425db5cffad2c9e80
-
SHA256
e7326f64bdf74f18d75644f325b3d076db50eafdbfdb74c0fe97e7341ee23287
-
SHA512
fe055198123b1fd86218cd5887290410962a92845060d85394ebdb84fb181f8e90ac17629ad39b14bd83ad5bb30cbe59d1066c6c8de9eb9d07d0d2ef5cdbf7ce
-
SSDEEP
768:vf7w9Dhxw9dParwnBwatRkw3ccrfLvWr:sCjysiajkw3cafDWr
Score8/10-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-