Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-05-2021 13:06
Static task
static1
Behavioral task
behavioral1
Sample
471e3984_by_Libranalysis.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
471e3984_by_Libranalysis.doc
Resource
win10v20210408
General
-
Target
471e3984_by_Libranalysis.doc
-
Size
10KB
-
MD5
471e39840386d6b9c8e565123a389364
-
SHA1
d9050e2115ee03a7c8e0acc87d199ce0b4b7422a
-
SHA256
012300706ce75e6e82abdaa865aa8ff684aef99eda98f9094278b8df84e9642c
-
SHA512
13b841bab9f2ef3ce9a27854a09682ba8983df16b4551e997359511f19decb94f85b23b3811f742fd99fdb7f2985b8063a6444b6c556e7cbafebf8f4b3f4a1e5
Malware Config
Extracted
nanocore
1.2.2.0
79.134.225.26:1133
nassiru1166main.ddns.net:1133
21f4355e-8257-4e77-8f1b-c822c6ea3cbe
-
activate_away_mode
true
-
backup_connection_host
nassiru1166main.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-02-05T23:55:31.583125836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1133
-
default_group
BUILD
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
21f4355e-8257-4e77-8f1b-c822c6ea3cbe
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
79.134.225.26
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 15 1644 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 636 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\https://cutt.ly/dbzEXdF WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1644 EQNEDT32.EXE 1644 EQNEDT32.EXE 1644 EQNEDT32.EXE 1644 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 636 set thread context of 364 636 vbc.exe RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1652 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
vbc.exeRegSvcs.exepid process 636 vbc.exe 364 RegSvcs.exe 364 RegSvcs.exe 364 RegSvcs.exe 364 RegSvcs.exe 364 RegSvcs.exe 364 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 364 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WINWORD.EXEvbc.exeRegSvcs.exedescription pid process Token: SeShutdownPrivilege 1652 WINWORD.EXE Token: SeDebugPrivilege 636 vbc.exe Token: SeDebugPrivilege 364 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1644 wrote to memory of 636 1644 EQNEDT32.EXE vbc.exe PID 1644 wrote to memory of 636 1644 EQNEDT32.EXE vbc.exe PID 1644 wrote to memory of 636 1644 EQNEDT32.EXE vbc.exe PID 1644 wrote to memory of 636 1644 EQNEDT32.EXE vbc.exe PID 1652 wrote to memory of 2020 1652 WINWORD.EXE splwow64.exe PID 1652 wrote to memory of 2020 1652 WINWORD.EXE splwow64.exe PID 1652 wrote to memory of 2020 1652 WINWORD.EXE splwow64.exe PID 1652 wrote to memory of 2020 1652 WINWORD.EXE splwow64.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe PID 636 wrote to memory of 364 636 vbc.exe RegSvcs.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\471e3984_by_Libranalysis.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
042aa11c6d49e1cca5923f02d1b0a5ae
SHA15a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA2563383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
SHA5126d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184
-
C:\Users\Public\vbc.exeMD5
042aa11c6d49e1cca5923f02d1b0a5ae
SHA15a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA2563383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
SHA5126d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184
-
\Users\Public\vbc.exeMD5
042aa11c6d49e1cca5923f02d1b0a5ae
SHA15a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA2563383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
SHA5126d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184
-
\Users\Public\vbc.exeMD5
042aa11c6d49e1cca5923f02d1b0a5ae
SHA15a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA2563383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
SHA5126d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184
-
\Users\Public\vbc.exeMD5
042aa11c6d49e1cca5923f02d1b0a5ae
SHA15a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA2563383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
SHA5126d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184
-
\Users\Public\vbc.exeMD5
042aa11c6d49e1cca5923f02d1b0a5ae
SHA15a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA2563383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
SHA5126d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184
-
memory/364-77-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/364-81-0x0000000000C11000-0x0000000000C12000-memory.dmpFilesize
4KB
-
memory/364-80-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/364-78-0x000000000041E792-mapping.dmp
-
memory/636-68-0x0000000000000000-mapping.dmp
-
memory/636-72-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/636-75-0x0000000000461000-0x0000000000462000-memory.dmpFilesize
4KB
-
memory/1644-63-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1652-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1652-61-0x000000006FD01000-0x000000006FD03000-memory.dmpFilesize
8KB
-
memory/1652-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1652-60-0x0000000072281000-0x0000000072284000-memory.dmpFilesize
12KB
-
memory/2020-73-0x0000000000000000-mapping.dmp
-
memory/2020-74-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmpFilesize
8KB