nanocore | 52601a9c0c289aa1e3de03a32f2c7c2d47c94685e3bc58b06c6932f1b65a88ca

General

Target

Sts Global Order.xlsx
Size

268KB
MD5

32f28af7bfd53e685b4cb23daa435ac1
SHA1

2b8161a2ff19950d6767cc1adbd7b85af04a335b
SHA256

52601a9c0c289aa1e3de03a32f2c7c2d47c94685e3bc58b06c6932f1b65a88ca
SHA512

1021cf15cfae872dd467e7f7476d0d2cd1e7fe953e4f0fe91fda7c450bda6cf46ca9fa01cfab7ddd0dbcb0d59ecb90b9eb5fba2579fc7dcfe8d25166b44f80b9

Score

10^/10

nanocore collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

newme122.3utilities.com:8822

newme1122.3utilities.com:8822

Mutex

dcf3fee6-c103-45ee-a2f0-f8afaa78d1fe

Attributes

activate_away_mode
true
backup_connection_host
newme1122.3utilities.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-31T13:00:17.372768836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8822
default_group
A New TIme Has Come
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
dcf3fee6-c103-45ee-a2f0-f8afaa78d1fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
newme122.3utilities.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1524-86-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1524-87-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1524-89-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1524-86-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1524-87-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1524-89-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 1128 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1060 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1128 EQNEDT32.EXE
1128 EQNEDT32.EXE
1128 EQNEDT32.EXE
1128 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
5	1128	EQNEDT32.EXE

pid	process
1128	EQNEDT32.EXE
1128	EQNEDT32.EXE
1128	EQNEDT32.EXE
1128	EQNEDT32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exeRegSvcs.exe

description	pid	process	target process
PID 1060 set thread context of 108	1060	vbc.exe	RegSvcs.exe
PID 108 set thread context of 1524	108	RegSvcs.exe	vbc.exe
PID 108 set thread context of 764	108	RegSvcs.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1500 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1128 EQNEDT32.EXE

pid	process
1500	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1128	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1588 EXCEL.EXE

pid	process
1588	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

vbc.exeRegSvcs.exevbc.exe

pid	process
1060	vbc.exe
1060	vbc.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
108	RegSvcs.exe
764	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

108 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1060 vbc.exe
Token: SeDebugPrivilege 108 RegSvcs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1588 EXCEL.EXE
1588 EXCEL.EXE
1588 EXCEL.EXE

pid	process
108	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1060	vbc.exe
Token: SeDebugPrivilege	108	RegSvcs.exe

pid	process
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

EQNEDT32.EXEvbc.exeRegSvcs.exe

description	pid	process	target process
PID 1128 wrote to memory of 1060	1128	EQNEDT32.EXE	vbc.exe
PID 1128 wrote to memory of 1060	1128	EQNEDT32.EXE	vbc.exe
PID 1128 wrote to memory of 1060	1128	EQNEDT32.EXE	vbc.exe
PID 1128 wrote to memory of 1060	1128	EQNEDT32.EXE	vbc.exe
PID 1060 wrote to memory of 1500	1060	vbc.exe	schtasks.exe
PID 1060 wrote to memory of 1500	1060	vbc.exe	schtasks.exe
PID 1060 wrote to memory of 1500	1060	vbc.exe	schtasks.exe
PID 1060 wrote to memory of 1500	1060	vbc.exe	schtasks.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 1060 wrote to memory of 108	1060	vbc.exe	RegSvcs.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 1524	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe
PID 108 wrote to memory of 764	108	RegSvcs.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Sts Global Order.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CXFxEHIAOoJFws" /XML "C:\Users\Admin\AppData\Local\Temp\tmp281A.tmp"
3⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\cqomial3.iaw"
4⤵
- Accesses Microsoft Outlook accounts
PID:1524

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\hy5v0l22.0wy"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cqomial3.iaw
MD5
69b2a2e17e78d24abee9f1de2f04811a

SHA1
d19c109704e83876ab3527457f9418a7d053aa33

SHA256
1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd

SHA512
eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy5v0l22.0wy
MD5
919e671c3d5959a91ef2d4c377d2b2ff

SHA1
b1202b19512bbd390d3d5164792501c87bb42c41

SHA256
d2e079df7cf6388315368ba79bf099ad2ff5428af51bf5abf2d99a2d7c5eb651

SHA512
f3298256372beab8efe81b2e08d3b3869281f625de1ee13189c6b95eb2134d223df6f64cc9e490dd6b52a53aa936adc17bd5dfe4e50ee0fe420f3ebae276381c

Download Submit
C:\Users\Public\vbc.exe
MD5
5dc1d41e2f9969d85896921f7b4ae261

SHA1
8dae6eb305ead57eeddfdecbf34cca61af653973

SHA256
2a95fede08d035e26d8a261c58359901344d23395094bd51f32e868964d61634

SHA512
96aa1dc7a5780fe484120b32ca2b66234450787370a0cc7b25afbffde7c4ae5dbff84fc496c8d92ff8ab3507fdfa361cf055e2910b72085f02956647a240fb63

Download Submit
C:\Users\Public\vbc.exe
MD5
5dc1d41e2f9969d85896921f7b4ae261

SHA1
8dae6eb305ead57eeddfdecbf34cca61af653973

SHA256
2a95fede08d035e26d8a261c58359901344d23395094bd51f32e868964d61634

SHA512
96aa1dc7a5780fe484120b32ca2b66234450787370a0cc7b25afbffde7c4ae5dbff84fc496c8d92ff8ab3507fdfa361cf055e2910b72085f02956647a240fb63

Download Submit
\Users\Public\vbc.exe
MD5
5dc1d41e2f9969d85896921f7b4ae261

SHA1
8dae6eb305ead57eeddfdecbf34cca61af653973

SHA256
2a95fede08d035e26d8a261c58359901344d23395094bd51f32e868964d61634

SHA512
96aa1dc7a5780fe484120b32ca2b66234450787370a0cc7b25afbffde7c4ae5dbff84fc496c8d92ff8ab3507fdfa361cf055e2910b72085f02956647a240fb63

Download Submit
\Users\Public\vbc.exe
MD5
5dc1d41e2f9969d85896921f7b4ae261

SHA1
8dae6eb305ead57eeddfdecbf34cca61af653973

SHA256
2a95fede08d035e26d8a261c58359901344d23395094bd51f32e868964d61634

SHA512
96aa1dc7a5780fe484120b32ca2b66234450787370a0cc7b25afbffde7c4ae5dbff84fc496c8d92ff8ab3507fdfa361cf055e2910b72085f02956647a240fb63

Download Submit
\Users\Public\vbc.exe
MD5
5dc1d41e2f9969d85896921f7b4ae261

SHA1
8dae6eb305ead57eeddfdecbf34cca61af653973

SHA256
2a95fede08d035e26d8a261c58359901344d23395094bd51f32e868964d61634

SHA512
96aa1dc7a5780fe484120b32ca2b66234450787370a0cc7b25afbffde7c4ae5dbff84fc496c8d92ff8ab3507fdfa361cf055e2910b72085f02956647a240fb63

Download Submit
\Users\Public\vbc.exe
MD5
5dc1d41e2f9969d85896921f7b4ae261

SHA1
8dae6eb305ead57eeddfdecbf34cca61af653973

SHA256
2a95fede08d035e26d8a261c58359901344d23395094bd51f32e868964d61634

SHA512
96aa1dc7a5780fe484120b32ca2b66234450787370a0cc7b25afbffde7c4ae5dbff84fc496c8d92ff8ab3507fdfa361cf055e2910b72085f02956647a240fb63

Download Submit
memory/108-77-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/108-73-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/108-79-0x0000000000CD6000-0x0000000000CE7000-memory.dmp

Filesize
68KB

Download
memory/108-78-0x0000000000CD1000-0x0000000000CD2000-memory.dmp

Filesize
4KB

Download
memory/108-75-0x000000000041E792-mapping.dmp

Download
memory/108-74-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/108-70-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/108-71-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/108-72-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/764-91-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-100-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-97-0x0000000000442628-mapping.dmp

Download
memory/764-94-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-95-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-92-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1060-63-0x0000000000000000-mapping.dmp

Download
memory/1060-68-0x0000000002011000-0x0000000002012000-memory.dmp

Filesize
4KB

Download
memory/1060-67-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1128-58-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1500-69-0x0000000000000000-mapping.dmp

Download
memory/1524-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-87-0x0000000000411654-mapping.dmp

Download
memory/1524-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-85-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1588-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1588-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1588-56-0x0000000071B61000-0x0000000071B63000-memory.dmp

Filesize
8KB

Download
memory/1588-55-0x000000002F1A1000-0x000000002F1A4000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads