Analysis
-
max time kernel
119s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-05-2024 13:46
General
-
Target
PO-45728-10876.rtf
-
Size
373KB
-
MD5
41a88833eb89e0d4d115c1a47cf80119
-
SHA1
71a35d918b6f2ae24e50cc3d7a357392ec84eda7
-
SHA256
157952d9b444d611f06393a1b2708862e8966bfa5443ca404698b07a38f8aa5d
-
SHA512
109d43dbacbf7040da3e38ca685c894a18b0a5f8257750d2d7bc6691410b82a4cae07ed60f74e021273639f3c15b268803b32863654590f30803ab2e4f300d61
-
SSDEEP
6144:VwAYwAYwAYwAYwAYwAYwAYwAYwAYwAwoXT5q1SgT:lt
Malware Config
Extracted
nanocore
1.2.2.0
psolver827.ddns.net:1974
127.0.0.1:1974
9bd2ed5f-213a-4882-91bf-95b6e3347c3e
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-26T07:38:31.398347236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1974
-
default_group
dcGEN
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9bd2ed5f-213a-4882-91bf-95b6e3347c3e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
psolver827.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO-45728-10876.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bless33333.scr"C:\Users\Admin\AppData\Roaming\bless33333.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bless33333.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WyYsjgJBJvIP.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WyYsjgJBJvIP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A6F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\bless33333.scr"C:\Users\Admin\AppData\Roaming\bless33333.scr"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\bless33333.scr"C:\Users\Admin\AppData\Roaming\bless33333.scr"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5C35.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Scheduled Task/Job
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5A6F.tmpFilesize
1KB
MD5eb3137ddf1f1a996848c11e91755f051
SHA18295b8e779d732544215d026e792e3c2dd6c6372
SHA2564824db1605c62755129b093df75a69ff8fa65aa9584386628bf94ab4172d89b1
SHA512a69e4792f577b82291927255ced65608297be14c3ed8063517d49ec37fc95d1ebb37c4ae537bdc683d3d12f886e04e4f9abbb9a42aae739512a4d9c1fc006315
-
C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmpFilesize
1KB
MD5f188884cbb66b6bb84e6f64695df9e08
SHA1a4c35ff4d85b798a000a87c426f7d4fb0ab69f31
SHA256bdddeb02adbd7c3cfc9574b4ca85503bdc62099114dad04db69143a2d46444f9
SHA512f09731604045f1cd6c7538f6ecdf085b9fe6049f6e05b32b2ae2569dcf00463d328970c944fd59feb3359af1123534dea58ad23b55e51deef3a9e646aeb522c4
-
C:\Users\Admin\AppData\Local\Temp\tmp5C35.tmpFilesize
1KB
MD50479d5f304ef2d7e3c15fb24a99f88c1
SHA18edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15
-
C:\Users\Admin\AppData\Roaming\bless33333.scrFilesize
703KB
MD522594e7b70f9742f9a523114c301a6bb
SHA1e4a9141ed6a1bce9bd1145b634f54553f7eac4e2
SHA256007977b403d4c8ba9d80b07d25163b358be63edac626d3f0b88f576e5468f7d5
SHA5128817f74c356362c1e2529f94884b1397a20365e7de9147a4a2e85b2442eaa417eeca9aebf895fe3f1ddb63a0b70378428dd30c6223a0f3a099e3feb2f918f0bd
-
memory/1848-80-0x0000000000980000-0x0000000000992000-memory.dmpFilesize
72KB
-
memory/1848-72-0x00000000003E0000-0x00000000003EA000-memory.dmpFilesize
40KB
-
memory/1848-88-0x00000000043F0000-0x0000000004404000-memory.dmpFilesize
80KB
-
memory/1848-87-0x00000000043C0000-0x00000000043EE000-memory.dmpFilesize
184KB
-
memory/1848-86-0x00000000021F0000-0x00000000021FE000-memory.dmpFilesize
56KB
-
memory/1848-85-0x00000000021E0000-0x00000000021F4000-memory.dmpFilesize
80KB
-
memory/1848-84-0x00000000021D0000-0x00000000021E0000-memory.dmpFilesize
64KB
-
memory/1848-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1848-57-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-53-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-51-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-83-0x0000000002180000-0x0000000002194000-memory.dmpFilesize
80KB
-
memory/1848-82-0x00000000020F0000-0x00000000020FC000-memory.dmpFilesize
48KB
-
memory/1848-81-0x00000000020E0000-0x00000000020EE000-memory.dmpFilesize
56KB
-
memory/1848-73-0x0000000000440000-0x000000000045E000-memory.dmpFilesize
120KB
-
memory/1848-74-0x00000000003F0000-0x00000000003FA000-memory.dmpFilesize
40KB
-
memory/1848-77-0x00000000004C0000-0x00000000004D2000-memory.dmpFilesize
72KB
-
memory/1848-78-0x00000000007A0000-0x00000000007BA000-memory.dmpFilesize
104KB
-
memory/1848-79-0x00000000007C0000-0x00000000007CE000-memory.dmpFilesize
56KB
-
memory/2408-31-0x0000000000170000-0x0000000000222000-memory.dmpFilesize
712KB
-
memory/2408-29-0x000000006B9AE000-0x000000006B9AF000-memory.dmpFilesize
4KB
-
memory/2408-39-0x0000000005E40000-0x0000000005EBA000-memory.dmpFilesize
488KB
-
memory/2408-38-0x00000000004B0000-0x00000000004C0000-memory.dmpFilesize
64KB
-
memory/2408-37-0x0000000000550000-0x000000000055C000-memory.dmpFilesize
48KB
-
memory/2408-36-0x0000000000780000-0x00000000007A2000-memory.dmpFilesize
136KB
-
memory/2964-0-0x000000002FD41000-0x000000002FD42000-memory.dmpFilesize
4KB
-
memory/2964-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2964-2-0x000000007189D000-0x00000000718A8000-memory.dmpFilesize
44KB
-
memory/2964-90-0x000000007189D000-0x00000000718A8000-memory.dmpFilesize
44KB