General
-
Target
Mille raisons de venir.scr.exe
-
Size
2.2MB
-
Sample
240720-rg9gds1amp
-
MD5
ebb76f0ad42d838df23137b3321d79ff
-
SHA1
946ea76180d53a3049ea7a3b07403ee628b9fac2
-
SHA256
79f7fa86d8dba1349208fa8c36663deb9d6c91a2be54b43d2fc6b7cb78039023
-
SHA512
6ae67476a9442ab9b81765e5fd2a43f68f90139568494eac590a95763ba4ed92281994b63a4ad54e0a79c7149550a3bbf329705fa8537847343c148dfdaf61a3
-
SSDEEP
49152:G+78xSwy+c0Hq9rm2ZHosBnsKXdniYM48E/pa/ZOovp/:Gs8xAJ0K95HBdlM1yQxOoB
Static task
static1
Behavioral task
behavioral1
Sample
Mille raisons de venir.scr.exe
Resource
win7-20240704-en
Malware Config
Extracted
nanocore
1.2.2.0
e-businessloader.mywire.org:5230
127.0.0.1:5230
0be0e5d9-4209-4f88-b4fe-27e7b678a0b5
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-03-16T21:32:38.702958636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5230
-
default_group
e-business
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0be0e5d9-4209-4f88-b4fe-27e7b678a0b5
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
e-businessloader.mywire.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Mille raisons de venir.scr.exe
-
Size
2.2MB
-
MD5
ebb76f0ad42d838df23137b3321d79ff
-
SHA1
946ea76180d53a3049ea7a3b07403ee628b9fac2
-
SHA256
79f7fa86d8dba1349208fa8c36663deb9d6c91a2be54b43d2fc6b7cb78039023
-
SHA512
6ae67476a9442ab9b81765e5fd2a43f68f90139568494eac590a95763ba4ed92281994b63a4ad54e0a79c7149550a3bbf329705fa8537847343c148dfdaf61a3
-
SSDEEP
49152:G+78xSwy+c0Hq9rm2ZHosBnsKXdniYM48E/pa/ZOovp/:Gs8xAJ0K95HBdlM1yQxOoB
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1