Loading ...

Play interactive tourEdit tour

Analysis Report RFQ # TSI2202708.doc

Overview

General Information

Sample Name:RFQ # TSI2202708.doc
Analysis ID:284745
MD5:20cb2ed12c5e8ff134b114ca034f4138
SHA1:6284046756c3fdab444e69b6b9d0b66af3dd29fe
SHA256:bc3e2903f2fd921aa8caaf7ec0fa2ac6838eaae7c63144a65b107627452d3bf2

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1464 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2336 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • systemvolt.exe (PID: 2480 cmdline: C:\Users\user\AppData\Roaming\systemvolt.exe MD5: C94A041F3F83CA0D62C67E904A02EC4E)
      • RegAsm.exe (PID: 2860 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)
      • RegAsm.exe (PID: 2824 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)
      • RegAsm.exe (PID: 2816 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)
  • EQNEDT32.EXE (PID: 2924 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • smtpsvc.exe (PID: 2456 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 246BB0F8D68A463FD17C235DEB5491C0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.2099747378.00000000005F6000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xfa5d:$x1: NanoCore.ClientPluginHost
  • 0xfa9a:$x2: IClientNetworkHost
  • 0x135cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000003.2099747378.00000000005F6000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000003.2099747378.00000000005F6000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xf7c5:$a: NanoCore
    • 0xf7d5:$a: NanoCore
    • 0xfa09:$a: NanoCore
    • 0xfa1d:$a: NanoCore
    • 0xfa5d:$a: NanoCore
    • 0xf824:$b: ClientPlugin
    • 0xfa26:$b: ClientPlugin
    • 0xfa66:$b: ClientPlugin
    • 0xf94b:$c: ProjectData
    • 0x10352:$d: DESCrypto
    • 0x17d1e:$e: KeepAlive
    • 0x15d0c:$g: LogClientMessage
    • 0x11f07:$i: get_Connected
    • 0x10688:$j: #=q
    • 0x106b8:$j: #=q
    • 0x106d4:$j: #=q
    • 0x10704:$j: #=q
    • 0x10720:$j: #=q
    • 0x1073c:$j: #=q
    • 0x1076c:$j: #=q
    • 0x10788:$j: #=q
    00000004.00000002.2100043507.00000000003B2000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000004.00000002.2100043507.00000000003B2000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.RegAsm.exe.920000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      7.2.RegAsm.exe.920000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      4.2.systemvolt.exe.3b0000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      4.2.systemvolt.exe.3b0000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      4.2.systemvolt.exe.3b0000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 11 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\systemvolt.exe, CommandLine: C:\Users\user\AppData\Roaming\systemvolt.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\systemvolt.exe, NewProcessName: C:\Users\user\AppData\Roaming\systemvolt.exe, OriginalFileName: C:\Users\user\AppData\Roaming\systemvolt.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2336, ProcessCommandLine: C:\Users\user\AppData\Roaming\systemvolt.exe, ProcessId: 2480
        Sigma detected: EQNEDT32.EXE connecting to internetShow sources
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 116.203.126.233, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2336, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2336, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bts[1].exe
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 2816, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bts[1].exeVirustotal: Detection: 33%Perma Link
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bts[1].exeReversingLabs: Detection: 62%
        Source: C:\Users\user\AppData\Roaming\systemvolt.exeVirustotal: Detection: 33%Perma Link
        Source: C:\Users\user\AppData\Roaming\systemvolt.exeReversingLabs: Detection: 62%
        Multi AV Scanner detection for submitted fileShow sources
        Source: RFQ # TSI2202708.docVirustotal: Detection: 49%Perma Link
        Source: RFQ # TSI2202708.docReversingLabs: Detection: 45%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000003.2099747378.00000000005F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2100043507.00000000003B2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2353765881.00000000009B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.2099688249.0000000002921000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2357808265.0000000003CC6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2353403723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: systemvolt.exe PID: 2480, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2816, type: MEMORY
        Source: Yara matchFile source: 4.2.systemvolt.exe.3b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.RegAsm.exe.9b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.RegAsm.exe.9b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bts[1].exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\systemvolt.exeJoe Sandbox ML: detected
        Source: 4.2.systemvolt.exe.3b0000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 7.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

        Exploits:

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess create