General
-
Target
RNSM00474.7z
-
Size
66.2MB
-
Sample
240924-zz2s9syejd
-
MD5
dd4d8150f7e6c0f228be9a3a86e2aef7
-
SHA1
6afcb1e7476d2bcc4b3d5019f620c0feeb929c0f
-
SHA256
c25b8011aaa30aeda483c227f1147ce1dff248e0eeacc2939c9b9c7b9194730d
-
SHA512
6a4e25fe505c942e25e6a13c356b4c2bad946210274585986b8f3a20ee1b794ac63516b4ea699f4cf560d9c8c352e378314c2b6a467c7639b5e06744425bba21
-
SSDEEP
1572864:uIXZWY5O+pQmc2D0cJw23RtlCuFQVd+scH//rmzZO/QQPW9c:TPpQAYdYHQOswzn
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00474.7z
Resource
win10v2004-20240802-en
Malware Config
Extracted
nanocore
1.2.2.0
malubulule.ddns.net:54984
127.0.0.1:54984
aa8874ba-71d5-4eb5-b609-4e5ccb54d4d6
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-04-21T15:50:42.698052636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
aa8874ba-71d5-4eb5-b609-4e5ccb54d4d6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
malubulule.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
RNSM00474.7z
-
Size
66.2MB
-
MD5
dd4d8150f7e6c0f228be9a3a86e2aef7
-
SHA1
6afcb1e7476d2bcc4b3d5019f620c0feeb929c0f
-
SHA256
c25b8011aaa30aeda483c227f1147ce1dff248e0eeacc2939c9b9c7b9194730d
-
SHA512
6a4e25fe505c942e25e6a13c356b4c2bad946210274585986b8f3a20ee1b794ac63516b4ea699f4cf560d9c8c352e378314c2b6a467c7639b5e06744425bba21
-
SSDEEP
1572864:uIXZWY5O+pQmc2D0cJw23RtlCuFQVd+scH//rmzZO/QQPW9c:TPpQAYdYHQOswzn
-
Renames multiple (92) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
XMRig Miner payload
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
System Binary Proxy Execution: Regsvcs/Regasm
Abuse Regasm to proxy execution of malicious code.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1System Binary Proxy Execution
1Regsvcs/Regasm
1