General
-
Target
f1b994f93c8867633ba81a83ed1936cd0ed2a9843395858853a84ac55f06b0f3
-
Size
1.4MB
-
Sample
221128-skx37sce85
-
MD5
12b07070fba39278fc68fe477300f7ea
-
SHA1
5926bdd2e3ad13e1f14372e17268652f3cd0b301
-
SHA256
f1b994f93c8867633ba81a83ed1936cd0ed2a9843395858853a84ac55f06b0f3
-
SHA512
2a901218bf7ef4f92866859df55f667ee81e059819a0e81131f1d003a20a4d73b7dafc5dcd299c3480e7d080fd04995fa78e2dd9ac1bd61230f163ad4cf8b4f8
-
SSDEEP
12288:HD+UoyWevH5fVoIvUIiZIBTbnMoosJ0PE2F9n2RED1HWVLnLBp:HKUoGf5fVlDR1jMLDx2SR2VL1p
Static task
static1
Behavioral task
behavioral1
Sample
f1b994f93c8867633ba81a83ed1936cd0ed2a9843395858853a84ac55f06b0f3.exe
Resource
win7-20221111-en
Malware Config
Extracted
nanocore
1.2.2.0
cheapshoes.ddns.net:5777
6e19e92d-ffc6-44e3-b837-a6da2e2d37f0
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2014-12-10T20:17:34.898812336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
5777
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6e19e92d-ffc6-44e3-b837-a6da2e2d37f0
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
cheapshoes.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
f1b994f93c8867633ba81a83ed1936cd0ed2a9843395858853a84ac55f06b0f3
-
Size
1.4MB
-
MD5
12b07070fba39278fc68fe477300f7ea
-
SHA1
5926bdd2e3ad13e1f14372e17268652f3cd0b301
-
SHA256
f1b994f93c8867633ba81a83ed1936cd0ed2a9843395858853a84ac55f06b0f3
-
SHA512
2a901218bf7ef4f92866859df55f667ee81e059819a0e81131f1d003a20a4d73b7dafc5dcd299c3480e7d080fd04995fa78e2dd9ac1bd61230f163ad4cf8b4f8
-
SSDEEP
12288:HD+UoyWevH5fVoIvUIiZIBTbnMoosJ0PE2F9n2RED1HWVLnLBp:HKUoGf5fVlDR1jMLDx2SR2VL1p
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-