Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-06-2021 18:28
Static task
static1
Behavioral task
behavioral1
Sample
afo.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
afo.docx
Resource
win10v20210408
General
-
Target
afo.docx
-
Size
10KB
-
MD5
92bd8363f47010e0cd7cc0a4a932b732
-
SHA1
6707bea3df95c553ea883a5370b600543779782d
-
SHA256
4582ac75eb6eb3b296e953f5b8d61ad638f765d474d3e2c14c6f3c07dbb219f0
-
SHA512
b0af15ad466a974272fb2fc1401b6c6ed9b12af91f3aa63f74cb580a19a68c7191028cbe9091f0b27bde889b7f883cc7ccff5fdade128e782d24efb1cb5944f3
Malware Config
Extracted
nanocore
1.2.2.0
ararat.mangospot.net:7747
185.140.53.216:7747
47ef45f5-c3cd-4adc-a596-91dff13978e9
-
activate_away_mode
true
-
backup_connection_host
185.140.53.216
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-03-12T19:06:58.915943136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7747
-
default_group
ArArAt
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
47ef45f5-c3cd-4adc-a596-91dff13978e9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ararat.mangospot.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 13 800 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1224 vbc.exe 1636 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQXx3 WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 800 EQNEDT32.EXE 800 EQNEDT32.EXE 800 EQNEDT32.EXE 800 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe" vbc.exe -
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1224 set thread context of 1636 1224 vbc.exe vbc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
vbc.exedescription ioc process File created C:\Program Files (x86)\LAN Host\lanhost.exe vbc.exe File opened for modification C:\Program Files (x86)\LAN Host\lanhost.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1792 schtasks.exe 1828 schtasks.exe 2004 schtasks.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1116 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepid process 1636 vbc.exe 1636 vbc.exe 1636 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 1636 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEvbc.exedescription pid process Token: SeShutdownPrivilege 1116 WINWORD.EXE Token: SeDebugPrivilege 1636 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1116 WINWORD.EXE 1116 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exevbc.exedescription pid process target process PID 800 wrote to memory of 1224 800 EQNEDT32.EXE vbc.exe PID 800 wrote to memory of 1224 800 EQNEDT32.EXE vbc.exe PID 800 wrote to memory of 1224 800 EQNEDT32.EXE vbc.exe PID 800 wrote to memory of 1224 800 EQNEDT32.EXE vbc.exe PID 1116 wrote to memory of 276 1116 WINWORD.EXE splwow64.exe PID 1116 wrote to memory of 276 1116 WINWORD.EXE splwow64.exe PID 1116 wrote to memory of 276 1116 WINWORD.EXE splwow64.exe PID 1116 wrote to memory of 276 1116 WINWORD.EXE splwow64.exe PID 1224 wrote to memory of 1792 1224 vbc.exe schtasks.exe PID 1224 wrote to memory of 1792 1224 vbc.exe schtasks.exe PID 1224 wrote to memory of 1792 1224 vbc.exe schtasks.exe PID 1224 wrote to memory of 1792 1224 vbc.exe schtasks.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1224 wrote to memory of 1636 1224 vbc.exe vbc.exe PID 1636 wrote to memory of 1828 1636 vbc.exe schtasks.exe PID 1636 wrote to memory of 1828 1636 vbc.exe schtasks.exe PID 1636 wrote to memory of 1828 1636 vbc.exe schtasks.exe PID 1636 wrote to memory of 1828 1636 vbc.exe schtasks.exe PID 1636 wrote to memory of 2004 1636 vbc.exe schtasks.exe PID 1636 wrote to memory of 2004 1636 vbc.exe schtasks.exe PID 1636 wrote to memory of 2004 1636 vbc.exe schtasks.exe PID 1636 wrote to memory of 2004 1636 vbc.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\afo.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjgpLCY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE39B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE6A8.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE39B.tmpMD5
c5cef72a128ffe589adce13a5499d605
SHA180d0bdd2f708ac579f35e4f8dcc6373afd77d018
SHA2560a831d66bd07d614eae3957e18e0c85ac634c1839a9217192c3ce5c2fca7debe
SHA512e7b24b7daff12a057858aae74b7aed8f31ac03b24ea831fc6e3d50cb281d73fd0e26b58e2cf6b3286276fb0b4cb032db71cd8a62b416f9e483eb770f2998ef96
-
C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmpMD5
deb609c2718f3cdffec272701c7cbefa
SHA141371e8823d438d91ecf9a84738fd179204353df
SHA256331ff9d8f5a059660b5e9f4141cecd44b42b2a066f1053f59f87b5c1e5ec6ec4
SHA5129f976c70e4c3e11674f122f29585169bbb9ce8e0cddbbc1d1705169b1b36175e17ab4986753d62f7e9e84d80a9a3077626e22ab7ee26b2b1f2dd2a9b4734385f
-
C:\Users\Admin\AppData\Local\Temp\tmpE6A8.tmpMD5
54865f98871478b2b88b7f8aa6100915
SHA16f8667f1ce25cebee2a7b460668736ff6bcfac54
SHA256287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e
SHA512caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493
-
C:\Users\Public\vbc.exeMD5
f6dccd16da5a8415c2f64ad72aa76068
SHA1b180d21b28512bacdff7bf680cad8326939fa316
SHA256549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7
SHA51294d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be
-
C:\Users\Public\vbc.exeMD5
f6dccd16da5a8415c2f64ad72aa76068
SHA1b180d21b28512bacdff7bf680cad8326939fa316
SHA256549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7
SHA51294d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be
-
C:\Users\Public\vbc.exeMD5
f6dccd16da5a8415c2f64ad72aa76068
SHA1b180d21b28512bacdff7bf680cad8326939fa316
SHA256549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7
SHA51294d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be
-
\Users\Public\vbc.exeMD5
f6dccd16da5a8415c2f64ad72aa76068
SHA1b180d21b28512bacdff7bf680cad8326939fa316
SHA256549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7
SHA51294d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be
-
\Users\Public\vbc.exeMD5
f6dccd16da5a8415c2f64ad72aa76068
SHA1b180d21b28512bacdff7bf680cad8326939fa316
SHA256549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7
SHA51294d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be
-
\Users\Public\vbc.exeMD5
f6dccd16da5a8415c2f64ad72aa76068
SHA1b180d21b28512bacdff7bf680cad8326939fa316
SHA256549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7
SHA51294d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be
-
\Users\Public\vbc.exeMD5
f6dccd16da5a8415c2f64ad72aa76068
SHA1b180d21b28512bacdff7bf680cad8326939fa316
SHA256549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7
SHA51294d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be
-
memory/276-73-0x000007FEFC301000-0x000007FEFC303000-memory.dmpFilesize
8KB
-
memory/276-72-0x0000000000000000-mapping.dmp
-
memory/800-62-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1116-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1116-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1116-60-0x0000000070881000-0x0000000070883000-memory.dmpFilesize
8KB
-
memory/1116-59-0x0000000072E01000-0x0000000072E04000-memory.dmpFilesize
12KB
-
memory/1224-78-0x0000000000BD0000-0x0000000000C0C000-memory.dmpFilesize
240KB
-
memory/1224-74-0x0000000000510000-0x0000000000524000-memory.dmpFilesize
80KB
-
memory/1224-75-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/1224-70-0x0000000001300000-0x0000000001301000-memory.dmpFilesize
4KB
-
memory/1224-67-0x0000000000000000-mapping.dmp
-
memory/1224-77-0x00000000050F0000-0x0000000005170000-memory.dmpFilesize
512KB
-
memory/1636-84-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-81-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-82-0x000000000041E792-mapping.dmp
-
memory/1636-90-0x00000000003D0000-0x00000000003D5000-memory.dmpFilesize
20KB
-
memory/1636-91-0x0000000000440000-0x0000000000459000-memory.dmpFilesize
100KB
-
memory/1636-92-0x00000000003F0000-0x00000000003F3000-memory.dmpFilesize
12KB
-
memory/1636-93-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/1792-79-0x0000000000000000-mapping.dmp
-
memory/1828-86-0x0000000000000000-mapping.dmp
-
memory/2004-88-0x0000000000000000-mapping.dmp