Analysis
-
max time kernel
149s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-06-2021 18:27
Static task
static1
Behavioral task
behavioral1
Sample
nano.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
nano.docx
Resource
win10v20210410
General
-
Target
nano.docx
-
Size
10KB
-
MD5
370c5933c34e634ee403ab76247c4161
-
SHA1
655f8384e54b1a1fe989c91bc678371497579f1b
-
SHA256
622129903441d47a1100584af9e16ba6cdcc6f035c3cffe44612ff0b83ed2cec
-
SHA512
222fa5d4075ed1dc419ce1e948714fa556324bdd67bbdfb0ad59f452db80ddc5b47f32b0d1cbb97ccfeb3b5241d5696a12dcd36c9565cb45e9560b76464eed3b
Malware Config
Extracted
nanocore
1.2.2.0
ararat.mangospot.net:7747
185.140.53.216:7747
47ef45f5-c3cd-4adc-a596-91dff13978e9
-
activate_away_mode
true
-
backup_connection_host
185.140.53.216
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-03-12T19:06:58.915943136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7747
-
default_group
ArArAt
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
47ef45f5-c3cd-4adc-a596-91dff13978e9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ararat.mangospot.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 14 1732 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1608 vbc.exe 1996 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQWAm WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1732 EQNEDT32.EXE 1732 EQNEDT32.EXE 1732 EQNEDT32.EXE 1732 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe" vbc.exe -
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1608 set thread context of 1996 1608 vbc.exe vbc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
vbc.exedescription ioc process File created C:\Program Files (x86)\DPI Service\dpisv.exe vbc.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisv.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 532 schtasks.exe 1396 schtasks.exe 1796 schtasks.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1976 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepid process 1996 vbc.exe 1996 vbc.exe 1996 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 1996 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEvbc.exedescription pid process Token: SeShutdownPrivilege 1976 WINWORD.EXE Token: SeDebugPrivilege 1996 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1976 WINWORD.EXE 1976 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exevbc.exedescription pid process target process PID 1732 wrote to memory of 1608 1732 EQNEDT32.EXE vbc.exe PID 1732 wrote to memory of 1608 1732 EQNEDT32.EXE vbc.exe PID 1732 wrote to memory of 1608 1732 EQNEDT32.EXE vbc.exe PID 1732 wrote to memory of 1608 1732 EQNEDT32.EXE vbc.exe PID 1976 wrote to memory of 1332 1976 WINWORD.EXE splwow64.exe PID 1976 wrote to memory of 1332 1976 WINWORD.EXE splwow64.exe PID 1976 wrote to memory of 1332 1976 WINWORD.EXE splwow64.exe PID 1976 wrote to memory of 1332 1976 WINWORD.EXE splwow64.exe PID 1608 wrote to memory of 532 1608 vbc.exe schtasks.exe PID 1608 wrote to memory of 532 1608 vbc.exe schtasks.exe PID 1608 wrote to memory of 532 1608 vbc.exe schtasks.exe PID 1608 wrote to memory of 532 1608 vbc.exe schtasks.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1608 wrote to memory of 1996 1608 vbc.exe vbc.exe PID 1996 wrote to memory of 1396 1996 vbc.exe schtasks.exe PID 1996 wrote to memory of 1396 1996 vbc.exe schtasks.exe PID 1996 wrote to memory of 1396 1996 vbc.exe schtasks.exe PID 1996 wrote to memory of 1396 1996 vbc.exe schtasks.exe PID 1996 wrote to memory of 1796 1996 vbc.exe schtasks.exe PID 1996 wrote to memory of 1796 1996 vbc.exe schtasks.exe PID 1996 wrote to memory of 1796 1996 vbc.exe schtasks.exe PID 1996 wrote to memory of 1796 1996 vbc.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\nano.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vjPnuYufSoUWF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp900F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp930C.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp93C8.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp900F.tmpMD5
e470967e11fce24e798c0fe9f6c2e1cf
SHA127adf961345f89d17dc061722b19ac5fe970a5b3
SHA256e914681fc45c1e9636a15a0dd6d2f9d505dd92a863b32ad9be4c05942213d6a0
SHA512ed45e5105b8bbacdebef6b4cb08004ac388e686b6f75214464f797ba1f57758213e4796d6265707ec5209733b2c5e35a22728840296aa7efda13d5be3a927aac
-
C:\Users\Admin\AppData\Local\Temp\tmp930C.tmpMD5
deb609c2718f3cdffec272701c7cbefa
SHA141371e8823d438d91ecf9a84738fd179204353df
SHA256331ff9d8f5a059660b5e9f4141cecd44b42b2a066f1053f59f87b5c1e5ec6ec4
SHA5129f976c70e4c3e11674f122f29585169bbb9ce8e0cddbbc1d1705169b1b36175e17ab4986753d62f7e9e84d80a9a3077626e22ab7ee26b2b1f2dd2a9b4734385f
-
C:\Users\Admin\AppData\Local\Temp\tmp93C8.tmpMD5
a9af285136db016a568e4a53208f21d0
SHA1e1afef2b7ee8ae945353315daa19a15574b435b7
SHA2567dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c
SHA51280a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e
-
C:\Users\Public\vbc.exeMD5
84e84f8a391847222863e17eecbc92e1
SHA18949740d846d92778eaefd5ec628146634489333
SHA256decbe1d976ee44f0300ec595e30320ba55c50afe995de7c6e1b3e610b77fa564
SHA512539e0c2f93142591af96bfd013fbdd88f1293f6f8ca434ced23d4e204c03779b878660376a891c3c244bbfd6c7896a8b2b5cbc4e975daf7f9d5635d08f378032
-
C:\Users\Public\vbc.exeMD5
84e84f8a391847222863e17eecbc92e1
SHA18949740d846d92778eaefd5ec628146634489333
SHA256decbe1d976ee44f0300ec595e30320ba55c50afe995de7c6e1b3e610b77fa564
SHA512539e0c2f93142591af96bfd013fbdd88f1293f6f8ca434ced23d4e204c03779b878660376a891c3c244bbfd6c7896a8b2b5cbc4e975daf7f9d5635d08f378032
-
C:\Users\Public\vbc.exeMD5
84e84f8a391847222863e17eecbc92e1
SHA18949740d846d92778eaefd5ec628146634489333
SHA256decbe1d976ee44f0300ec595e30320ba55c50afe995de7c6e1b3e610b77fa564
SHA512539e0c2f93142591af96bfd013fbdd88f1293f6f8ca434ced23d4e204c03779b878660376a891c3c244bbfd6c7896a8b2b5cbc4e975daf7f9d5635d08f378032
-
\Users\Public\vbc.exeMD5
84e84f8a391847222863e17eecbc92e1
SHA18949740d846d92778eaefd5ec628146634489333
SHA256decbe1d976ee44f0300ec595e30320ba55c50afe995de7c6e1b3e610b77fa564
SHA512539e0c2f93142591af96bfd013fbdd88f1293f6f8ca434ced23d4e204c03779b878660376a891c3c244bbfd6c7896a8b2b5cbc4e975daf7f9d5635d08f378032
-
\Users\Public\vbc.exeMD5
84e84f8a391847222863e17eecbc92e1
SHA18949740d846d92778eaefd5ec628146634489333
SHA256decbe1d976ee44f0300ec595e30320ba55c50afe995de7c6e1b3e610b77fa564
SHA512539e0c2f93142591af96bfd013fbdd88f1293f6f8ca434ced23d4e204c03779b878660376a891c3c244bbfd6c7896a8b2b5cbc4e975daf7f9d5635d08f378032
-
\Users\Public\vbc.exeMD5
84e84f8a391847222863e17eecbc92e1
SHA18949740d846d92778eaefd5ec628146634489333
SHA256decbe1d976ee44f0300ec595e30320ba55c50afe995de7c6e1b3e610b77fa564
SHA512539e0c2f93142591af96bfd013fbdd88f1293f6f8ca434ced23d4e204c03779b878660376a891c3c244bbfd6c7896a8b2b5cbc4e975daf7f9d5635d08f378032
-
\Users\Public\vbc.exeMD5
84e84f8a391847222863e17eecbc92e1
SHA18949740d846d92778eaefd5ec628146634489333
SHA256decbe1d976ee44f0300ec595e30320ba55c50afe995de7c6e1b3e610b77fa564
SHA512539e0c2f93142591af96bfd013fbdd88f1293f6f8ca434ced23d4e204c03779b878660376a891c3c244bbfd6c7896a8b2b5cbc4e975daf7f9d5635d08f378032
-
memory/532-79-0x0000000000000000-mapping.dmp
-
memory/1332-74-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/1332-72-0x0000000000000000-mapping.dmp
-
memory/1396-87-0x0000000000000000-mapping.dmp
-
memory/1608-70-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/1608-75-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/1608-77-0x0000000005110000-0x000000000518F000-memory.dmpFilesize
508KB
-
memory/1608-78-0x0000000000C20000-0x0000000000C5C000-memory.dmpFilesize
240KB
-
memory/1608-73-0x0000000000A00000-0x0000000000A14000-memory.dmpFilesize
80KB
-
memory/1608-67-0x0000000000000000-mapping.dmp
-
memory/1732-62-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/1796-89-0x0000000000000000-mapping.dmp
-
memory/1976-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1976-59-0x00000000729C1000-0x00000000729C4000-memory.dmpFilesize
12KB
-
memory/1976-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1976-60-0x0000000070441000-0x0000000070443000-memory.dmpFilesize
8KB
-
memory/1996-82-0x000000000041E792-mapping.dmp
-
memory/1996-84-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1996-81-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1996-86-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/1996-91-0x0000000000390000-0x0000000000395000-memory.dmpFilesize
20KB
-
memory/1996-92-0x0000000000570000-0x0000000000589000-memory.dmpFilesize
100KB
-
memory/1996-93-0x00000000003A0000-0x00000000003A3000-memory.dmpFilesize
12KB