Windows Analysis Report RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Overview

General Information

Sample Name: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Analysis ID: 458308
MD5: 8c457878cc3c72ea684d3034837101e0
SHA1: 8aad02989c92c45252b7e41f0c712db31c0a1574
SHA256: 94dc3ceb75323f7b1bff7355da2d28804d4df36fa98a1335211101ef94bb2dda
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7547b95a-3564-48ed-9de2-e9e7593f", "Group": "ikenna", "Domain1": "194.5.98.127", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\DCBdvFPc.exe ReversingLabs: Detection: 30%
Multi AV Scanner detection for submitted file
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Virustotal: Detection: 30% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\DCBdvFPc.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll Jump to behavior
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 194.5.98.127
Source: Malware configuration extractor URLs: 127.0.0.1

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 0_2_00007FFA165F1069 0_2_00007FFA165F1069
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 4_2_004C9626 4_2_004C9626
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 5_2_005C9626 5_2_005C9626
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 6_2_00E39626 6_2_00E39626
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 7_2_00E69626 7_2_00E69626
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 8_2_004E9626 8_2_004E9626
PE file contains strange resources
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DCBdvFPc.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.258514535.0000000000874000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.258791813.0000000000C59000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265911861.000000001C470000.00000002.00000001.sdmp Binary or memory string: originalfilename vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265911861.000000001C470000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265290815.000000001BD60000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStoreElement.dllB vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259722065.00000000011C0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameConfigNodeType.dll> vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265676778.000000001C370000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000004.00000000.251695079.00000000005E4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000005.00000002.253481024.00000000006E4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000006.00000000.254482952.0000000000F54000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000007.00000000.256067829.0000000000F84000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000008.00000002.258139772.0000000000604000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Yara signature match
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DCBdvFPc.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@14/4@0/0
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: C:\Users\user\AppData\Roaming\DCBdvFPc.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_01
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: C:\Users\user\AppData\Local\Temp\tmp5F10.tmp Jump to behavior
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Virustotal: Detection: 30%
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File read: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe 'C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe'
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp'
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp' Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static file information: File size 1203712 > 1048576
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll Jump to behavior
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x120e00
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 0_2_00007FFA165F7B0C pushad ; iretd 0_2_00007FFA165F7B0D
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 0_2_00007FFA165FD19A push cs; retn 0000h 0_2_00007FFA165FD1B1
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 0_2_00007FFA165FC95F push cs; retn 0000h 0_2_00007FFA165FC971
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 0_2_00007FFA165FB427 push cs; retn 0000h 0_2_00007FFA165FB441
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 0_2_00007FFA165F4021 push cs; retn 0000h 0_2_00007FFA165F4025
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Code function: 0_2_00007FFA165F9C06 push es; retf 0_2_00007FFA165F9C07
Source: initial sample Static PE information: section name: .text entropy: 7.70845208383
Source: initial sample Static PE information: section name: .text entropy: 7.70845208383

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe File created: C:\Users\user\AppData\Roaming\DCBdvFPc.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (67).png
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: xls.exe Static PE information: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe TID: 5840 Thread sleep time: -40406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe TID: 2584 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Thread delayed: delay time: 40406 Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp' Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458308 Sample: RFQ CL-2021 - 0188 ROCKWELL... Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 12 other signatures 2->34 7 RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\Roaming\DCBdvFPc.exe, PE32 7->20 dropped 22 C:\Users\...\DCBdvFPc.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp5F10.tmp, XML 7->24 dropped 26 RFQ CL-2021 - 0188...(WEVER).xls.exe.log, ASCII 7->26 dropped 10 schtasks.exe 1 7->10         started        12 RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe 7->12         started        14 RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
194.5.98.127 true
  • Avira URL Cloud: safe
 unknown
127.0.0.1 true
  • Avira URL Cloud: safe
 unknown