nanocore | 231a7c1d4526607ab197542d83aa3d8521c869818b17eabb74e0a3565acec050

General

Target

Contract PI.xlsx
Size

600KB
MD5

186a658f43a9ec18974bb3fc66fe7c0b
SHA1

46b06dc7c6d8283bca0c4bdb2936fe0f988b8703
SHA256

231a7c1d4526607ab197542d83aa3d8521c869818b17eabb74e0a3565acec050
SHA512

3405af1d046179bd457bad484220a26e8d25327fe4c92037b98c9f0fb11109cf0a43713590aa0b079c1c37575c025f3a66dcd5fe71e321152ea45dc548447b8d

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

watermalon1.sytes.net:2010

Mutex

b4ede67b-be7e-44fd-9e96-0c0f6d15978b

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-01T14:19:06.909657536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2010
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b4ede67b-be7e-44fd-9e96-0c0f6d15978b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
watermalon1.sytes.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

2 1460 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

DDF.exeDDF.exe

pid process

1076 DDF.exe
1088 DDF.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1460 EQNEDT32.EXE

flow	pid	process
2	1460	EQNEDT32.EXE

pid	process
1076	DDF.exe
1088	DDF.exe

pid	process
1460	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DDF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	DDF.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

DDF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DDF.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DDF.exe

description pid process target process

PID 1076 set thread context of 1088 1076 DDF.exe DDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DDF.exe

description	pid	process	target process
PID 1076 set thread context of 1088	1076	DDF.exe	DDF.exe

Drops file in Program Files directory 2 IoCs

Processes:

DDF.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	DDF.exe
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	DDF.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

908 schtasks.exe
1940 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1460 EQNEDT32.EXE

pid	process
908	schtasks.exe
1940	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1460	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

596 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

DDF.exe

pid process

1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
1088 DDF.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DDF.exe

pid process

1088 DDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DDF.exe

description pid process

Token: SeDebugPrivilege 1088 DDF.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

596 EXCEL.EXE
596 EXCEL.EXE
596 EXCEL.EXE

pid	process
596	EXCEL.EXE

pid	process
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe
1088	DDF.exe

pid	process
1088	DDF.exe

description	pid	process
Token: SeDebugPrivilege	1088	DDF.exe

pid	process
596	EXCEL.EXE
596	EXCEL.EXE
596	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEEXCEL.EXEDDF.exeDDF.exe

description	pid	process	target process
PID 1460 wrote to memory of 1076	1460	EQNEDT32.EXE	DDF.exe
PID 1460 wrote to memory of 1076	1460	EQNEDT32.EXE	DDF.exe
PID 1460 wrote to memory of 1076	1460	EQNEDT32.EXE	DDF.exe
PID 1460 wrote to memory of 1076	1460	EQNEDT32.EXE	DDF.exe
PID 596 wrote to memory of 1816	596	EXCEL.EXE	splwow64.exe
PID 596 wrote to memory of 1816	596	EXCEL.EXE	splwow64.exe
PID 596 wrote to memory of 1816	596	EXCEL.EXE	splwow64.exe
PID 596 wrote to memory of 1816	596	EXCEL.EXE	splwow64.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1076 wrote to memory of 1088	1076	DDF.exe	DDF.exe
PID 1088 wrote to memory of 1940	1088	DDF.exe	schtasks.exe
PID 1088 wrote to memory of 1940	1088	DDF.exe	schtasks.exe
PID 1088 wrote to memory of 1940	1088	DDF.exe	schtasks.exe
PID 1088 wrote to memory of 1940	1088	DDF.exe	schtasks.exe
PID 1088 wrote to memory of 908	1088	DDF.exe	schtasks.exe
PID 1088 wrote to memory of 908	1088	DDF.exe	schtasks.exe
PID 1088 wrote to memory of 908	1088	DDF.exe	schtasks.exe
PID 1088 wrote to memory of 908	1088	DDF.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Contract PI.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1816

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\DDF.exe
"C:\Users\Admin\AppData\Roaming\DDF.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Roaming\DDF.exe
"C:\Users\Admin\AppData\Roaming\DDF.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp50AF.tmp"
4⤵
- Creates scheduled task(s)
PID:1940

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp51D9.tmp"
4⤵
- Creates scheduled task(s)
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp50AF.tmp
MD5
6632813bf8f2dba52b4cfbe9abf40815

SHA1
52dc622961ad0e0fb1d9b844458ad3314ae74def

SHA256
bb52349b3ee754db8d6324f8b94b130f9a3b145276c9296811bca7d1074d4979

SHA512
6ec074566a734a24ec082716471488ec8658ce5d93fdd61b9e69b3545e19b769a9a9068e662bf56d047012fb90045244e3a487877c3d70f8e100526972ba9216

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51D9.tmp
MD5
c4aecdef99eba873119e79616df3f4b0

SHA1
b1b3af52655fb633eed909dfed05b64fbbfac37c

SHA256
24fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b

SHA512
e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4

Download Submit
C:\Users\Admin\AppData\Roaming\DDF.exe
MD5
f85ca66e06121eb29b26d78cc3f64554

SHA1
141bc2598b79d80bb3ceda6fe98c49ab7c694dd8

SHA256
2483d6141d48f387aad22f1bec5c45945bca933eb35ba13d6ff65a46b8720885

SHA512
53a9caad2df5549538085ebae5427634b841398fc794502fd0b3d6e3f39313d1a738c34ec95ad47f4b37c61045b8e04cdd3339eed6edeeb5c0f91ed7c4e56fd7

Download Submit
C:\Users\Admin\AppData\Roaming\DDF.exe
MD5
f85ca66e06121eb29b26d78cc3f64554

SHA1
141bc2598b79d80bb3ceda6fe98c49ab7c694dd8

SHA256
2483d6141d48f387aad22f1bec5c45945bca933eb35ba13d6ff65a46b8720885

SHA512
53a9caad2df5549538085ebae5427634b841398fc794502fd0b3d6e3f39313d1a738c34ec95ad47f4b37c61045b8e04cdd3339eed6edeeb5c0f91ed7c4e56fd7

Download Submit
C:\Users\Admin\AppData\Roaming\DDF.exe
MD5
f85ca66e06121eb29b26d78cc3f64554

SHA1
141bc2598b79d80bb3ceda6fe98c49ab7c694dd8

SHA256
2483d6141d48f387aad22f1bec5c45945bca933eb35ba13d6ff65a46b8720885

SHA512
53a9caad2df5549538085ebae5427634b841398fc794502fd0b3d6e3f39313d1a738c34ec95ad47f4b37c61045b8e04cdd3339eed6edeeb5c0f91ed7c4e56fd7

Download Submit
\Users\Admin\AppData\Roaming\DDF.exe
MD5
f85ca66e06121eb29b26d78cc3f64554

SHA1
141bc2598b79d80bb3ceda6fe98c49ab7c694dd8

SHA256
2483d6141d48f387aad22f1bec5c45945bca933eb35ba13d6ff65a46b8720885

SHA512
53a9caad2df5549538085ebae5427634b841398fc794502fd0b3d6e3f39313d1a738c34ec95ad47f4b37c61045b8e04cdd3339eed6edeeb5c0f91ed7c4e56fd7

Download Submit
memory/596-54-0x000000002FB71000-0x000000002FB74000-memory.dmp

Filesize
12KB

Download
memory/596-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/596-55-0x0000000071781000-0x0000000071783000-memory.dmp

Filesize
8KB

Download
memory/596-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/908-77-0x0000000000000000-mapping.dmp

Download
memory/1076-65-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1076-66-0x00000000004E1000-0x00000000004E2000-memory.dmp

Filesize
4KB

Download
memory/1076-59-0x0000000000000000-mapping.dmp

Download
memory/1088-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1088-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1088-72-0x000000000041E792-mapping.dmp

Download
memory/1088-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1088-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1088-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1088-79-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1460-57-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1816-64-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1816-62-0x0000000000000000-mapping.dmp

Download
memory/1940-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads