General
-
Target
ee732fe083d094477408b867d673fa9ce9b443099a3a9178362f2cf032297224
-
Size
776KB
-
Sample
221126-jclkrscc22
-
MD5
9caffe7a2a97e5c787dbf0df3e7eb18d
-
SHA1
c1a4a0133fd6869f37ae43db74b143b821105fe7
-
SHA256
ee732fe083d094477408b867d673fa9ce9b443099a3a9178362f2cf032297224
-
SHA512
5e4a2b64b18f5316937de8ccd0925d05de443d98f0b10267a9e62e923e43d1d0aa758c8be0e112494948fc799c9a57ea40d19d53d3313ee8e90f830b5376a22b
-
SSDEEP
12288:jdgWHE2zmj8huD9qs4eJiRMWjg1PDNfOdyPGkmFcagwYSSIsEd9HZ+EEV:28yj8hAqSiOkgNCyPGkmFCNumEE
Static task
static1
Behavioral task
behavioral1
Sample
ee732fe083d094477408b867d673fa9ce9b443099a3a9178362f2cf032297224.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.1.1
mrsaix.noip.me:9033
92c248cc-2654-43ec-876f-26667c552790
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-11-01T23:50:25.731419836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9033
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
92c248cc-2654-43ec-876f-26667c552790
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mrsaix.noip.me
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Targets
-
-
Target
ee732fe083d094477408b867d673fa9ce9b443099a3a9178362f2cf032297224
-
Size
776KB
-
MD5
9caffe7a2a97e5c787dbf0df3e7eb18d
-
SHA1
c1a4a0133fd6869f37ae43db74b143b821105fe7
-
SHA256
ee732fe083d094477408b867d673fa9ce9b443099a3a9178362f2cf032297224
-
SHA512
5e4a2b64b18f5316937de8ccd0925d05de443d98f0b10267a9e62e923e43d1d0aa758c8be0e112494948fc799c9a57ea40d19d53d3313ee8e90f830b5376a22b
-
SSDEEP
12288:jdgWHE2zmj8huD9qs4eJiRMWjg1PDNfOdyPGkmFcagwYSSIsEd9HZ+EEV:28yj8hAqSiOkgNCyPGkmFCNumEE
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-