General
-
Target
bc2c2fce9b6d912c3eb394eba723c0f4c9a03ec70f6978d78cfe8e8269b20af3
-
Size
655KB
-
Sample
240820-e86hlaxejl
-
MD5
992ce84c8bc97f7cd347347eb64dc023
-
SHA1
66bd48df2244f8f24e4635deb2f1bd89887c3716
-
SHA256
bc2c2fce9b6d912c3eb394eba723c0f4c9a03ec70f6978d78cfe8e8269b20af3
-
SHA512
30477419a96cae646389995c1ead8832f53205cda8568cb20e7064ac27cf7e48ac301ae1ae1ff9e93605189bec8a45b68dd8a75524c549666642ead19dab5cbd
-
SSDEEP
12288:IsXcVLHrmjSJlFxARWas13tEhaXjya+S9/ogr0gv7Z5nJ+7ZsriJmD3DFBFALt:IjVLHqjilKVs1Uu/687bnJ8ZsriJaBBw
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-20240708-en
Malware Config
Extracted
nanocore
1.2.2.0
percolysrl2.ddns.net:50720
94.156.68.149:50720
8db2e04d-fea6-4ac1-bc82-47d992a4c6e5
-
activate_away_mode
true
-
backup_connection_host
94.156.68.149
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-05-28T11:54:58.690784636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
50720
-
default_group
PUNK
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8db2e04d-fea6-4ac1-bc82-47d992a4c6e5
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
percolysrl2.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5009
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5008
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
image.exe
-
Size
779KB
-
MD5
7349c111442a81bd317c11bc6ae54272
-
SHA1
60955f9f7eac98908168bbd10dea35c0562ed79b
-
SHA256
41e0b1de55bbfe30925144c498ee806aeb17422f4a1b867e1bf5f0c3685e892c
-
SHA512
3eccabe6ad904fe56cf6c465a6096e868f9d8087af9f031a35d21876a016e97745f45c3e822bf63098036a39dd219406c28514c97753b48bcdb649870df91cfe
-
SSDEEP
12288:kGazCwgqaVouy0Pl2T5xw02/ZFxeciN9/ogrKgvFZpxJ+7ZXJUNcTEy9+Refu:kBC/qaSuyK2TEbe//s8FfxJ8ZXJNyo
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1