Analysis
-
max time kernel
127s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 17:18
Static task
static1
Behavioral task
behavioral1
Sample
e77f5e642756206d8f21e0230a134040.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e77f5e642756206d8f21e0230a134040.rtf
Resource
win10v20201028
General
-
Target
e77f5e642756206d8f21e0230a134040.rtf
-
Size
13KB
-
MD5
e77f5e642756206d8f21e0230a134040
-
SHA1
d4b3eb5fe7af003da6141a57cb641bd960506a70
-
SHA256
e11f59ce9dae9fcff7ff4c8d3d119dd663a1918d084f8cda7b30c474cd141642
-
SHA512
75c1c081adcb5115580c52daeaa9af08fd7d7b8a9d8ec29fb19f9c3efb5543af3acf0e0ba54fe4832cc5d4a5b1efa73f042b3ac5d90f34b6555bf17dc4c1b9bc
Malware Config
Extracted
nanocore
1.2.2.0
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
3a9317bb-f4c9-498b-9bcd-6f676b5f42c8
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-09T22:17:26.589249336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2017
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3a9317bb-f4c9-498b-9bcd-6f676b5f42c8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1904 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 724 vbc.exe 928 vbc.exe 1480 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1904 EQNEDT32.EXE 1904 EQNEDT32.EXE 1904 EQNEDT32.EXE 1904 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager = "C:\\Program Files (x86)\\NTFS Manager\\ntfsmgr.exe" vbc.exe -
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 724 set thread context of 1480 724 vbc.exe vbc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe vbc.exe File created C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1212 schtasks.exe 1996 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 316 timeout.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1640 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exevbc.exepid process 724 vbc.exe 724 vbc.exe 1480 vbc.exe 1480 vbc.exe 1480 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 1480 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeDebugPrivilege 724 vbc.exe Token: SeDebugPrivilege 1480 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1640 WINWORD.EXE 1640 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exedescription pid process target process PID 1904 wrote to memory of 724 1904 EQNEDT32.EXE vbc.exe PID 1904 wrote to memory of 724 1904 EQNEDT32.EXE vbc.exe PID 1904 wrote to memory of 724 1904 EQNEDT32.EXE vbc.exe PID 1904 wrote to memory of 724 1904 EQNEDT32.EXE vbc.exe PID 724 wrote to memory of 316 724 vbc.exe timeout.exe PID 724 wrote to memory of 316 724 vbc.exe timeout.exe PID 724 wrote to memory of 316 724 vbc.exe timeout.exe PID 724 wrote to memory of 316 724 vbc.exe timeout.exe PID 724 wrote to memory of 928 724 vbc.exe vbc.exe PID 724 wrote to memory of 928 724 vbc.exe vbc.exe PID 724 wrote to memory of 928 724 vbc.exe vbc.exe PID 724 wrote to memory of 928 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 724 wrote to memory of 1480 724 vbc.exe vbc.exe PID 1480 wrote to memory of 1212 1480 vbc.exe schtasks.exe PID 1480 wrote to memory of 1212 1480 vbc.exe schtasks.exe PID 1480 wrote to memory of 1212 1480 vbc.exe schtasks.exe PID 1480 wrote to memory of 1212 1480 vbc.exe schtasks.exe PID 1480 wrote to memory of 1996 1480 vbc.exe schtasks.exe PID 1480 wrote to memory of 1996 1480 vbc.exe schtasks.exe PID 1480 wrote to memory of 1996 1480 vbc.exe schtasks.exe PID 1480 wrote to memory of 1996 1480 vbc.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e77f5e642756206d8f21e0230a134040.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 183⤵
- Delays execution with timeout.exe
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF94E.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF805.tmpMD5
deb609c2718f3cdffec272701c7cbefa
SHA141371e8823d438d91ecf9a84738fd179204353df
SHA256331ff9d8f5a059660b5e9f4141cecd44b42b2a066f1053f59f87b5c1e5ec6ec4
SHA5129f976c70e4c3e11674f122f29585169bbb9ce8e0cddbbc1d1705169b1b36175e17ab4986753d62f7e9e84d80a9a3077626e22ab7ee26b2b1f2dd2a9b4734385f
-
C:\Users\Admin\AppData\Local\Temp\tmpF94E.tmpMD5
41808f05a9aa523d0ef506d4993f1d6c
SHA15a228145decf63ebbbd673c9b7c08a86236a22d4
SHA256f76bd5da395a725b5998efab9a5d3160657cf2d44a8be83fa24af6ba29acf731
SHA5127cf71f8fd8dccaa8cf2c724afca3178be8b7a6e0cc6e4b44990e96413bd0dac8248e2bcfa1bb82da05efb6c4b46649722c20ce14cf4a44f1720e18732bd9246e
-
C:\Users\Public\vbc.exeMD5
181a6a0a18b62c9cf11f133506f1e506
SHA167aff0f365997fe49271b6b41bf6bf0d308a7e7a
SHA256d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343
SHA512a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3
-
C:\Users\Public\vbc.exeMD5
181a6a0a18b62c9cf11f133506f1e506
SHA167aff0f365997fe49271b6b41bf6bf0d308a7e7a
SHA256d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343
SHA512a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3
-
C:\Users\Public\vbc.exeMD5
181a6a0a18b62c9cf11f133506f1e506
SHA167aff0f365997fe49271b6b41bf6bf0d308a7e7a
SHA256d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343
SHA512a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3
-
C:\Users\Public\vbc.exeMD5
181a6a0a18b62c9cf11f133506f1e506
SHA167aff0f365997fe49271b6b41bf6bf0d308a7e7a
SHA256d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343
SHA512a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3
-
\Users\Public\vbc.exeMD5
181a6a0a18b62c9cf11f133506f1e506
SHA167aff0f365997fe49271b6b41bf6bf0d308a7e7a
SHA256d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343
SHA512a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3
-
\Users\Public\vbc.exeMD5
181a6a0a18b62c9cf11f133506f1e506
SHA167aff0f365997fe49271b6b41bf6bf0d308a7e7a
SHA256d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343
SHA512a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3
-
\Users\Public\vbc.exeMD5
181a6a0a18b62c9cf11f133506f1e506
SHA167aff0f365997fe49271b6b41bf6bf0d308a7e7a
SHA256d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343
SHA512a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3
-
\Users\Public\vbc.exeMD5
181a6a0a18b62c9cf11f133506f1e506
SHA167aff0f365997fe49271b6b41bf6bf0d308a7e7a
SHA256d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343
SHA512a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3
-
memory/316-10-0x0000000000000000-mapping.dmp
-
memory/724-8-0x000000006B8B0000-0x000000006BF9E000-memory.dmpFilesize
6.9MB
-
memory/724-5-0x0000000000000000-mapping.dmp
-
memory/724-11-0x0000000000720000-0x0000000000761000-memory.dmpFilesize
260KB
-
memory/724-9-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1212-21-0x0000000000000000-mapping.dmp
-
memory/1220-0-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmpFilesize
2.5MB
-
memory/1480-16-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1480-17-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1480-18-0x000000006B8B0000-0x000000006BF9E000-memory.dmpFilesize
6.9MB
-
memory/1480-14-0x000000000041E792-mapping.dmp
-
memory/1480-13-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1480-25-0x0000000000530000-0x0000000000535000-memory.dmpFilesize
20KB
-
memory/1480-26-0x0000000000580000-0x0000000000599000-memory.dmpFilesize
100KB
-
memory/1480-27-0x00000000005A0000-0x00000000005A3000-memory.dmpFilesize
12KB
-
memory/1996-23-0x0000000000000000-mapping.dmp