Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
First quater purchase quotation request/FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe
Resource
win7-20240508-en
General
-
Target
First quater purchase quotation request/FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe
-
Size
368KB
-
MD5
09797cdd39ac8e04e9f06ebbea8d6080
-
SHA1
7aec84b16f1b53b460a20060a2ec56342da78217
-
SHA256
5ab18122ba5fd805583d4723e2099b87a8999206b79a933a5d071e955e224c5e
-
SHA512
b89d497b7c72a4888ba5c9b6743c0759a5253c1c764b7441fafa26585cf9e3a0b9ccc22d86b958f50f640ba47194f84d43053bdba49f907c88daac28a9baf70d
-
SSDEEP
6144:aiC4cGH9KHku2PHGz5j83UgJgGXjQDmjWzb1qY4xJDFssSNGKb1UugFmRj:aiC4V1uMI5jn4g2j1mb1cJ2lNGKb1F
Malware Config
Extracted
nanocore
1.2.2.0
officewkgrace.ddns.net:17084
212.7.208.100:17084
0037a82e-4499-413e-b334-92da53e56ece
-
activate_away_mode
true
-
backup_connection_host
212.7.208.100
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-10-14T11:37:36.306932336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
17084
-
default_group
psm 93
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0037a82e-4499-413e-b334-92da53e56ece
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
officewkgrace.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe -
Executes dropped EXE 2 IoCs
Processes:
wordapp.exewordapp.exepid process 2328 wordapp.exe 1620 wordapp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wordapp.exewordapp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wordApplication = "C:\\Users\\Admin\\AppData\\Local\\wordapp.exe -boot" wordapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" wordapp.exe -
Processes:
wordapp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wordapp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wordapp.exedescription pid process target process PID 2328 set thread context of 1620 2328 wordapp.exe wordapp.exe -
Drops file in Program Files directory 2 IoCs
Processes:
wordapp.exedescription ioc process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe wordapp.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe wordapp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2392 schtasks.exe 660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
wordapp.exepid process 1620 wordapp.exe 1620 wordapp.exe 1620 wordapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
wordapp.exepid process 1620 wordapp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exewordapp.exewordapp.exedescription pid process Token: SeDebugPrivilege 2252 FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe Token: SeDebugPrivilege 2328 wordapp.exe Token: SeDebugPrivilege 1620 wordapp.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.execmd.exewordapp.exewordapp.exedescription pid process target process PID 2252 wrote to memory of 2620 2252 FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe cmd.exe PID 2252 wrote to memory of 2620 2252 FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe cmd.exe PID 2252 wrote to memory of 2620 2252 FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe cmd.exe PID 2252 wrote to memory of 3152 2252 FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe cmd.exe PID 2252 wrote to memory of 3152 2252 FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe cmd.exe PID 2252 wrote to memory of 3152 2252 FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe cmd.exe PID 3152 wrote to memory of 2328 3152 cmd.exe wordapp.exe PID 3152 wrote to memory of 2328 3152 cmd.exe wordapp.exe PID 3152 wrote to memory of 2328 3152 cmd.exe wordapp.exe PID 2328 wrote to memory of 1620 2328 wordapp.exe wordapp.exe PID 2328 wrote to memory of 1620 2328 wordapp.exe wordapp.exe PID 2328 wrote to memory of 1620 2328 wordapp.exe wordapp.exe PID 2328 wrote to memory of 1620 2328 wordapp.exe wordapp.exe PID 2328 wrote to memory of 1620 2328 wordapp.exe wordapp.exe PID 2328 wrote to memory of 1620 2328 wordapp.exe wordapp.exe PID 2328 wrote to memory of 1620 2328 wordapp.exe wordapp.exe PID 2328 wrote to memory of 1620 2328 wordapp.exe wordapp.exe PID 1620 wrote to memory of 660 1620 wordapp.exe schtasks.exe PID 1620 wrote to memory of 660 1620 wordapp.exe schtasks.exe PID 1620 wrote to memory of 660 1620 wordapp.exe schtasks.exe PID 1620 wrote to memory of 2392 1620 wordapp.exe schtasks.exe PID 1620 wrote to memory of 2392 1620 wordapp.exe schtasks.exe PID 1620 wrote to memory of 2392 1620 wordapp.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe"C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\First quater purchase quotation request\FIRST QUATER PURCHASE REQUEST AND COMP PROFILE xls.exe" "C:\Users\Admin\AppData\Local\wordapp.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\wordapp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\wordapp.exe"C:\Users\Admin\AppData\Local\wordapp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\wordapp.exe"C:\Users\Admin\AppData\Local\wordapp.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD45D.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp"5⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2384 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wordapp.exe.logFilesize
706B
MD50110f3d722cddd9753644c78a308ff57
SHA1c461bb3812ae8a3c77d0ec99850b3a88eda2ccc7
SHA25603c3a90b4c2615ddd7bc4b663ba3cce4969223c0a21c53624c6f792ffde91de4
SHA5128a581416a1a9e355e6cda1d4f2a93df807421ec2706c717c5d5d2acd004af2c14ee77d94c48e6643320dd2cd2e1072b9cfd8ecf37c0e8fb38df7d9f0c40cdf63
-
C:\Users\Admin\AppData\Local\Temp\tmpD45D.tmpFilesize
1KB
MD5db22af35d8ec778d087a5a134b54dfde
SHA1cd57666e2ada94016032b967984c4f65beed0dab
SHA2562530403cf3fcc489695ab50e1871bd71ac477bd11129049c5f8bc36cc0bf20e9
SHA5126e3153e50fa887959ae5c0b76d0e042da12cd4f94c0f0d334a2c49d2f45bf6ff38364f51c895e2f0f2a4f8287356c4be262bddee3a0c4d276eecd8fe048bc4a0
-
C:\Users\Admin\AppData\Local\Temp\tmpD587.tmpFilesize
1KB
MD50339b45ef206f4becc88be0d65e24b9e
SHA16503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA2563d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551
-
C:\Users\Admin\AppData\Local\wordapp.exeFilesize
368KB
MD509797cdd39ac8e04e9f06ebbea8d6080
SHA17aec84b16f1b53b460a20060a2ec56342da78217
SHA2565ab18122ba5fd805583d4723e2099b87a8999206b79a933a5d071e955e224c5e
SHA512b89d497b7c72a4888ba5c9b6743c0759a5253c1c764b7441fafa26585cf9e3a0b9ccc22d86b958f50f640ba47194f84d43053bdba49f907c88daac28a9baf70d
-
memory/1620-36-0x00000000060A0000-0x00000000060AA000-memory.dmpFilesize
40KB
-
memory/1620-35-0x0000000005080000-0x000000000509E000-memory.dmpFilesize
120KB
-
memory/1620-34-0x0000000004F50000-0x0000000004F5A000-memory.dmpFilesize
40KB
-
memory/1620-26-0x0000000004ED0000-0x0000000004EDA000-memory.dmpFilesize
40KB
-
memory/1620-21-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2252-16-0x0000000074CB0000-0x0000000075460000-memory.dmpFilesize
7.7MB
-
memory/2252-6-0x00000000082C0000-0x0000000008864000-memory.dmpFilesize
5.6MB
-
memory/2252-1-0x0000000000C60000-0x0000000000CC4000-memory.dmpFilesize
400KB
-
memory/2252-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmpFilesize
4KB
-
memory/2252-2-0x0000000005600000-0x0000000005646000-memory.dmpFilesize
280KB
-
memory/2252-3-0x00000000057E0000-0x0000000005800000-memory.dmpFilesize
128KB
-
memory/2252-4-0x0000000007C70000-0x0000000007D02000-memory.dmpFilesize
584KB
-
memory/2252-8-0x0000000074CBE000-0x0000000074CBF000-memory.dmpFilesize
4KB
-
memory/2252-7-0x00000000056C0000-0x00000000056CC000-memory.dmpFilesize
48KB
-
memory/2252-5-0x0000000074CB0000-0x0000000075460000-memory.dmpFilesize
7.7MB
-
memory/2252-9-0x0000000074CB0000-0x0000000075460000-memory.dmpFilesize
7.7MB
-
memory/2328-25-0x0000000074CB0000-0x0000000075460000-memory.dmpFilesize
7.7MB
-
memory/2328-20-0x0000000008550000-0x00000000085EC000-memory.dmpFilesize
624KB
-
memory/2328-19-0x0000000074CB0000-0x0000000075460000-memory.dmpFilesize
7.7MB
-
memory/2328-18-0x0000000074CB0000-0x0000000075460000-memory.dmpFilesize
7.7MB
-
memory/2328-17-0x0000000074CB0000-0x0000000075460000-memory.dmpFilesize
7.7MB