General

  • Target

    sorenq.zip

  • Size

    4.0MB

  • Sample

    241224-kz5gtstmap

  • MD5

    8c8355a5982d5c23cf46e1bc208d71f9

  • SHA1

    f3582d5e9ff9d8a93f81fa573b6fe96715002823

  • SHA256

    6421b8dd3f429921cd2cd3b9d6809f8a860d2f6acb58be9387ff14541dc07878

  • SHA512

    fae8127f885f706d57b9af4c5bcc0c45303301f03da316558ec18e5a67d3532d579d7845e1a3042d19326f06ddbcbd5aadea4590fcd6beac9ef0f3f012274696

  • SSDEEP

    98304:i83pEdZEqpFLPHmYT4sww+/HDPT8pwC8AEP0jdSeww80MDeMy+O:dZjqL6idm84L0ceD

Malware Config

Targets

    • Target

      download.exe

    • Size

      4.0MB

    • MD5

      5577c8755bee3b80e17e42e80eadde86

    • SHA1

      79ebbc3f9d175669ee090f53b93a925b42281b73

    • SHA256

      85ba99319f22cde0abd25e839a7a230a730f1d52e546754873e479be88e65da1

    • SHA512

      2d88bc7339c5629e21c00dbf63152a3389110752be0610d8744ce5f89037701e51f40a102730f9e843555749e69607c3b8896b5fbcab76662ab3a3640e45053d

    • SSDEEP

      98304:oPk7tEUpppPxYyTUsAoQ9/hZjipqYW+YHeFJeAuw8agFo2Gm:GdUfAaBE+OzYIo

    • Modifies WinLogon for persistence

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks