Windows Analysis Report INVOICE = 212888585 .xlsx

Overview

General Information

Sample Name: INVOICE = 212888585 .xlsx
Analysis ID: 483709
MD5: 145e00853b80fb2d97676c4416f984a9
SHA1: fa80c59ebbafc435e88ffdceae00450b56ec5d48
SHA256: e9c342550d334bffc58a310997673e24eed03f4d2b9c441dec943b24e7d29d08
Tags: xlsx
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Office Equation Editor has been started
Binary contains a suspicious time stamp
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9ed8d108-2eb1-4e23-9679-783796e4", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for submitted file
Source: INVOICE = 212888585 .xlsx Virustotal: Detection: 42% Perma Link
Source: INVOICE = 212888585 .xlsx ReversingLabs: Detection: 50%
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\ALP.exe ReversingLabs: Detection: 30%
Yara detected Nanocore RAT
Source: Yara match File source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.691609233.0000000002431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTR
Machine Learning detection for sample
Source: INVOICE = 212888585 .xlsx Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ALP.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.ALP.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 17.2.smtpsvc.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 4.2.ALP.exe.6c0000.3.unpack Avira: Label: TR/NanoCore.fadte
Source: 16.2.smtpsvc.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 14.2.ALP.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ALP.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ALP.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding