Overview

overview

10

Static

static

1

PO17276.xlsx

windows7-x64

10

PO17276.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO17276.xlsx

  • Size

    1.6MB

  • MD5

    8a2d5ad778a0b2c34bde0456319def1f

  • SHA1

    8de490068af01f3e130c6e7b542eb64297580177

  • SHA256

    8c3486d9911a83c4c909ec272c6faae3975ba541a3dcfd4eba6e4e29f40f7c74

  • SHA512

    371d817e4d3c13e9e753460ce2e87d1f40822e7eea3114a88f72392509b2e677a893e26f4a6ecfc2796daca5a9f26033b4678c0226252466ec4bdcd199a0ad1b

  • SSDEEP

    49152:UMAIWgHuoAFRlJppoPVL7FqDSqTupqjbcDHDxxd9AGZC:UMnLtuJpqP1gDShpMYjxz9ZC

Score
10/10
nanocorekeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

jogard.duckdns.org:6513

Mutex

0bcef9ae-1ad9-450b-8199-18ecd78eee45

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    jogard.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-11-03T06:11:28.219071236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6513

  • default_group

    Grade7

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    0bcef9ae-1ad9-450b-8199-18ecd78eee45

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    jogard.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO17276.xlsx
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1212
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Users\Admin\AppData\Roaming\word.exe
      C:\Users\Admin\AppData\Roaming\word.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Users\Admin\AppData\Local\Milburr\oxman.exe
        C:\Users\Admin\AppData\Roaming\word.exe
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          C:\Users\Admin\AppData\Roaming\word.exe
          4⤵
            PID:2888
          • C:\Users\Admin\AppData\Local\Milburr\oxman.exe
            "C:\Users\Admin\AppData\Local\Milburr\oxman.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2896
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
              "C:\Users\Admin\AppData\Local\Milburr\oxman.exe"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Milburr\oxman.exe
      Filesize

      4.4MB

      MD5

      3cfafd6a34da9e4593d948536fce9ffa

      SHA1

      277f138654539667a16bcec32093f27deba144ea

      SHA256

      7a484318aa70d13f498ed00ecd847a26829e4d08a258dc65c6cf4132cb7a8442

      SHA512

      2d7badeb30ba482b6481bafc1511778743cff71378b326d557850a23de36183143ea7334e8bee6e5a1b2341033ae41686654232090f7cd1cef9ff52fe4edb23d

      Download Submit

    • C:\Users\Admin\AppData\Local\Milburr\oxman.exe
      Filesize

      4.6MB

      MD5

      e08fc6e2bbb9a6ddb6d245cfed2fc16b

      SHA1

      f5ccd148b0aba91cf27b2bee3071a59dd793c954

      SHA256

      16acd9abdf3310fbce6af07685d7769fe3317c752165baadcaa5058dec1ebbad

      SHA512

      4e9b42282cf6238dcc27fb728283f47daddfe8a170a0e19a2d80d46189a1d9606467551be021778a0967016de6db0cf88db15f4883626ceaf3c30ec5380c104d

      Download Submit

    • C:\Users\Admin\AppData\Local\Milburr\oxman.exe
      Filesize

      1.5MB

      MD5

      67fbb35573f7cc719e33029159981647

      SHA1

      c7a56e991664d615126e599c663e0848738de301

      SHA256

      c0be5cb14e608a4a106cbaa2ad4fd9a290ce473acea3581c73c69463ff9508ae

      SHA512

      e1eec369dcc29e8c44fc05cddc6839aca7b02f098ecfbd8f6cbeb0510546550e1822ff990dec3accd4e252a4540972cafba3747da4dc39b5644a7c1d9329ba4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Anglophile
      Filesize

      29KB

      MD5

      d0509f20881db2bcb54f9fd7fc26adf3

      SHA1

      48b778405bb4dd1c1faf231fbf02c52889ac954a

      SHA256

      f3ddfee69a5782c64059b3226fb73c627f9995ec6b575da0a7aff289506b0f8f

      SHA512

      30bf9b55aac06c428d5f1d13a178c0c185931a3be699957d3db05f97ead3043a6ec8abba3d7501f297e702410a54680df4cfca546688fee6d01d074771c49e39

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut7262.tmp
      Filesize

      200KB

      MD5

      5cd19aa374dedab4a3b35ffd1563bd76

      SHA1

      6ed931e94bfe30f788c33aacf5e9af4b0948bbae

      SHA256

      394010a407e1df776761107c11972ba87aa8417dfe008dff80dd947130feab87

      SHA512

      284e951a2fd44cafd88d7d59b3b326ec1765ec603ce7d22ee95afe3b1ed9e961a970a32392d112884ceab5efcbdb21ecb3b296ff174b16c6b3c8b78584b643c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut7292.tmp
      Filesize

      9KB

      MD5

      4dadf8caa223a85e282eaf66de7b2b85

      SHA1

      8e1e11c0cd0e1d8a308fd380d547d916330de125

      SHA256

      3d6f2f740e18dea43aa8370d5c3c7697939af0d6ce28a98b0c61d324326b67fe

      SHA512

      5a33e8cfe7a2493de9dac4964cc4e82bd54fef835b0a3c6c866c861d1074c22c42ced1f240827a7d3c0d60fb1747ed0aafaf499b07dfdc7c01f3f1dfc1157e9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\poufs
      Filesize

      202KB

      MD5

      25be564f49720ae1ccbfbee6b442c23e

      SHA1

      88c26fc0efd3d67e51ade5b3d4fffa2ef87a8d41

      SHA256

      06824f517512c44b3bea7d6209f02fcf17d5d622ea5e8ab52bcca85c399cc68b

      SHA512

      b0060a0064272c702a103fb52ec3653c5aae9f26ff45b247a41ce4cfabb537b3f191dd2a84ec08338e867cc3827b13a1bcd08f61ba27e5145a307c5a63ba5ece

      Download Submit

    • C:\Users\Admin\AppData\Roaming\word.exe
      Filesize

      1.3MB

      MD5

      e646eccc6a2a4ae885d9d96e8fa83926

      SHA1

      5b1c47f1964855303b6de48e224e9baa8a9ae236

      SHA256

      00e69bcba637723de4f9a380800be9b813def689a4d150e0879ef43e3c613361

      SHA512

      fd79016cd33c875d84ed1f60dd466eca936ed2ec4c75a94fe31302db4c4a3bd15d33037213acb50d5eb60cb1a47e1949ccc9891b6e75e4011ba2e4c3f57b364c

      Download Submit

    • \Users\Admin\AppData\Local\Milburr\oxman.exe
      Filesize

      3.4MB

      MD5

      f53f8af4a1cd347958a7179319b8f362

      SHA1

      3972b50ef54bcb634106fbab327943f5f3c0faf3

      SHA256

      f24e02ff898996726ada666be7d02f8cf6f189ed2485dcf1968ba64e3f17ac39

      SHA512

      4cdbccb866409cb16d37cc877aa51c0e2aeddc77fe6db7a488cdebe8fabadbf4652b335490fef562c6a97f8d3c6daaff26c682ea6b7ac8de64a5132baeea88f8

      Download Submit

    • memory/1060-67-0x000000006C590000-0x000000006CB3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1060-60-0x000000006C590000-0x000000006CB3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1060-70-0x0000000002180000-0x00000000021C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-54-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1060-56-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1060-58-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1060-69-0x0000000002180000-0x00000000021C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-68-0x000000006C590000-0x000000006CB3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1060-61-0x000000006C590000-0x000000006CB3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1060-62-0x0000000002180000-0x00000000021C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1212-1-0x000000007294D000-0x0000000072958000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1212-59-0x000000007294D000-0x0000000072958000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1212-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1212-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1212-73-0x000000007294D000-0x0000000072958000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2016-21-0x00000000002E0000-0x00000000002E4000-memory.dmp

      Filesize

      16KB

      Download