General

  • Target

    bc2c2fce9b6d912c3eb394eba723c0f4c9a03ec70f6978d78cfe8e8269b20af3

  • Size

    655KB

  • Sample

    240820-e86hlaxejl

  • MD5

    992ce84c8bc97f7cd347347eb64dc023

  • SHA1

    66bd48df2244f8f24e4635deb2f1bd89887c3716

  • SHA256

    bc2c2fce9b6d912c3eb394eba723c0f4c9a03ec70f6978d78cfe8e8269b20af3

  • SHA512

    30477419a96cae646389995c1ead8832f53205cda8568cb20e7064ac27cf7e48ac301ae1ae1ff9e93605189bec8a45b68dd8a75524c549666642ead19dab5cbd

  • SSDEEP

    12288:IsXcVLHrmjSJlFxARWas13tEhaXjya+S9/ogr0gv7Z5nJ+7ZsriJmD3DFBFALt:IjVLHqjilKVs1Uu/687bnJ8ZsriJaBBw

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

percolysrl2.ddns.net:50720

94.156.68.149:50720

Mutex

8db2e04d-fea6-4ac1-bc82-47d992a4c6e5

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    94.156.68.149

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-05-28T11:54:58.690784636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    50720

  • default_group

    PUNK

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    8db2e04d-fea6-4ac1-bc82-47d992a4c6e5

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    percolysrl2.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5009

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5008

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      image.exe

    • Size

      779KB

    • MD5

      7349c111442a81bd317c11bc6ae54272

    • SHA1

      60955f9f7eac98908168bbd10dea35c0562ed79b

    • SHA256

      41e0b1de55bbfe30925144c498ee806aeb17422f4a1b867e1bf5f0c3685e892c

    • SHA512

      3eccabe6ad904fe56cf6c465a6096e868f9d8087af9f031a35d21876a016e97745f45c3e822bf63098036a39dd219406c28514c97753b48bcdb649870df91cfe

    • SSDEEP

      12288:kGazCwgqaVouy0Pl2T5xw02/ZFxeciN9/ogrKgvFZpxJ+7ZXJUNcTEy9+Refu:kBC/qaSuyK2TEbe//s8FfxJ8ZXJNyo

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks