General
-
Target
a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c
-
Size
513KB
-
Sample
221126-kehsbshg9s
-
MD5
d4d8d5561f956ce6152c0bdef9ab0330
-
SHA1
b3b8f4be8a671c3b24a9dc18055b611e2ba4357d
-
SHA256
a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c
-
SHA512
fcb26b648477c71ebb7dd277430f009992fe5d393406cc117c7fa2c08666416f8caad843613866d6a0caf7fd7c524cd34c49e87b6ba28d2d92d6ee1074278521
-
SSDEEP
12288:737VWUQUXrv6c2Q1JDB1sCbj21Hln4Ye0rXDc:XKUXj6cbJl1DXeln4Z0rXDc
Static task
static1
Behavioral task
behavioral1
Sample
a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.1.1
87.231.21.54:4242
192.168.0.18:4242
322262ce-9696-4b85-b0b7-24f45dfb3e97
-
activate_away_mode
true
-
backup_connection_host
192.168.0.18
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-10-27T20:39:29.987250736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4242
-
default_group
TheGr8Spread
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
322262ce-9696-4b85-b0b7-24f45dfb3e97
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
87.231.21.54
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Targets
-
-
Target
a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c
-
Size
513KB
-
MD5
d4d8d5561f956ce6152c0bdef9ab0330
-
SHA1
b3b8f4be8a671c3b24a9dc18055b611e2ba4357d
-
SHA256
a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c
-
SHA512
fcb26b648477c71ebb7dd277430f009992fe5d393406cc117c7fa2c08666416f8caad843613866d6a0caf7fd7c524cd34c49e87b6ba28d2d92d6ee1074278521
-
SSDEEP
12288:737VWUQUXrv6c2Q1JDB1sCbj21Hln4Ye0rXDc:XKUXj6cbJl1DXeln4Z0rXDc
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-