Analysis
-
max time kernel
101s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 11:36
Static task
static1
Behavioral task
behavioral1
Sample
TT COPY.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
TT COPY.xlsx
Resource
win10v20210410
General
-
Target
TT COPY.xlsx
-
Size
679KB
-
MD5
bff0c36c3c73c83a4a144bb7b5874056
-
SHA1
4eaa93a36139ba7c7e60c90790ce3ece26b2cbce
-
SHA256
9a28b730d4601c17f4bffa6c63c681e0f3c95d9f8c95a700c2b77c2bdb2dc8f9
-
SHA512
7c1d3001c40803060fa4b60c486c4554cb46a8d1306869fecbc3ae747b0b26a547ba12198d22c3ddbb08301d088ae96aa2f66f132dd42a54556ccb47386885ca
Malware Config
Extracted
nanocore
1.2.2.0
godisgood1.hopto.org:7712
9ed8d108-2eb1-4e23-9679-783796e4baff
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-04-23T17:16:53.813634136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7712
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9ed8d108-2eb1-4e23-9679-783796e4baff
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
godisgood1.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1628 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
CBM.exeCBM.exeCBM.exepid process 840 CBM.exe 1052 CBM.exe 1528 CBM.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1628 EQNEDT32.EXE 1628 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CBM.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe" CBM.exe -
Processes:
CBM.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CBM.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CBM.exedescription pid process target process PID 840 set thread context of 1528 840 CBM.exe CBM.exe -
Drops file in Program Files directory 2 IoCs
Processes:
CBM.exedescription ioc process File created C:\Program Files (x86)\DPI Service\dpisv.exe CBM.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisv.exe CBM.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1840 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
CBM.exeCBM.exepid process 840 CBM.exe 840 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe 1528 CBM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
CBM.exepid process 1528 CBM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CBM.exeCBM.exedescription pid process Token: SeDebugPrivilege 840 CBM.exe Token: SeDebugPrivilege 1528 CBM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1840 EXCEL.EXE 1840 EXCEL.EXE 1840 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEEXCEL.EXECBM.exeCBM.exedescription pid process target process PID 1628 wrote to memory of 840 1628 EQNEDT32.EXE CBM.exe PID 1628 wrote to memory of 840 1628 EQNEDT32.EXE CBM.exe PID 1628 wrote to memory of 840 1628 EQNEDT32.EXE CBM.exe PID 1628 wrote to memory of 840 1628 EQNEDT32.EXE CBM.exe PID 1840 wrote to memory of 916 1840 EXCEL.EXE splwow64.exe PID 1840 wrote to memory of 916 1840 EXCEL.EXE splwow64.exe PID 1840 wrote to memory of 916 1840 EXCEL.EXE splwow64.exe PID 1840 wrote to memory of 916 1840 EXCEL.EXE splwow64.exe PID 840 wrote to memory of 1052 840 CBM.exe CBM.exe PID 840 wrote to memory of 1052 840 CBM.exe CBM.exe PID 840 wrote to memory of 1052 840 CBM.exe CBM.exe PID 840 wrote to memory of 1052 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 840 wrote to memory of 1528 840 CBM.exe CBM.exe PID 1528 wrote to memory of 948 1528 CBM.exe schtasks.exe PID 1528 wrote to memory of 948 1528 CBM.exe schtasks.exe PID 1528 wrote to memory of 948 1528 CBM.exe schtasks.exe PID 1528 wrote to memory of 948 1528 CBM.exe schtasks.exe PID 1528 wrote to memory of 904 1528 CBM.exe schtasks.exe PID 1528 wrote to memory of 904 1528 CBM.exe schtasks.exe PID 1528 wrote to memory of 904 1528 CBM.exe schtasks.exe PID 1528 wrote to memory of 904 1528 CBM.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\TT COPY.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CBM.exeC:\Users\Admin\AppData\Roaming\CBM.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CBM.exe"{path}"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\CBM.exe"{path}"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6114.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp61FF.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6114.tmpMD5
6bae186b8e002410e651b9ba00d16b25
SHA152b6b48b4be252776acc252f65a05d71340fe3f0
SHA25697cd3bccc5f09d09db0f786fdd8682fcde28e11ecb90159a4925df02bc98194a
SHA512e79234d9467c46ac72b3631522e00dc18ea94d62c2fca6735b19c779ee9e66689a5de724ee90fd344c46cbf78576cc129455aa6415844bcfc88045435952e99d
-
C:\Users\Admin\AppData\Local\Temp\tmp61FF.tmpMD5
a9af285136db016a568e4a53208f21d0
SHA1e1afef2b7ee8ae945353315daa19a15574b435b7
SHA2567dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c
SHA51280a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e
-
C:\Users\Admin\AppData\Roaming\CBM.exeMD5
d9b7fb50628a76fe7603d82f6f0c0bd8
SHA1019ef807727684992fefd8dc47bdcc2593419389
SHA256c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113
SHA512e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412
-
C:\Users\Admin\AppData\Roaming\CBM.exeMD5
d9b7fb50628a76fe7603d82f6f0c0bd8
SHA1019ef807727684992fefd8dc47bdcc2593419389
SHA256c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113
SHA512e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412
-
C:\Users\Admin\AppData\Roaming\CBM.exeMD5
d9b7fb50628a76fe7603d82f6f0c0bd8
SHA1019ef807727684992fefd8dc47bdcc2593419389
SHA256c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113
SHA512e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412
-
C:\Users\Admin\AppData\Roaming\CBM.exeMD5
d9b7fb50628a76fe7603d82f6f0c0bd8
SHA1019ef807727684992fefd8dc47bdcc2593419389
SHA256c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113
SHA512e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412
-
\Users\Admin\AppData\Roaming\CBM.exeMD5
d9b7fb50628a76fe7603d82f6f0c0bd8
SHA1019ef807727684992fefd8dc47bdcc2593419389
SHA256c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113
SHA512e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412
-
\Users\Admin\AppData\Roaming\CBM.exeMD5
d9b7fb50628a76fe7603d82f6f0c0bd8
SHA1019ef807727684992fefd8dc47bdcc2593419389
SHA256c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113
SHA512e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412
-
memory/840-69-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/840-72-0x0000000000381000-0x0000000000382000-memory.dmpFilesize
4KB
-
memory/840-65-0x0000000000000000-mapping.dmp
-
memory/904-81-0x0000000000000000-mapping.dmp
-
memory/916-70-0x0000000000000000-mapping.dmp
-
memory/916-71-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB
-
memory/948-79-0x0000000000000000-mapping.dmp
-
memory/1528-74-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1528-75-0x000000000041E792-mapping.dmp
-
memory/1528-78-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/1628-62-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1840-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1840-59-0x000000002FD31000-0x000000002FD34000-memory.dmpFilesize
12KB
-
memory/1840-60-0x00000000717B1000-0x00000000717B3000-memory.dmpFilesize
8KB
-
memory/1840-83-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB