Edit tour
Windows
Analysis Report
DOC_MDR0307_019.doc
Overview
General Information
Detection
Nanocore
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Nanocore RAT
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Office Equation Editor has been started
Contains functionality to detect virtual machines (SLDT)
Potential document exploit detected (performs HTTP gets)
Sigma detected: Autorun Keys Modification
Classification
- System is w7x64
- WINWORD.EXE (PID: 508 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- EQNEDT32.EXE (PID: 1832 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) - plugmancdht5461.exe (PID: 2992 cmdline:
C:\Users\u ser\AppDat a\Roaming\ plugmancdh t5461.exe MD5: 7031570AA150B893F68A32900327B2AE) - powershell.exe (PID: 2848 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" A dd-MpPrefe rence -Exc lusionPath "C:\Users \user\AppD ata\Roamin g\ZdNnwVcb .exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA) - schtasks.exe (PID: 1868 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\ZdNnw Vcb" /XML "C:\Users\ user\AppDa ta\Local\T emp\tmp90F A.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3) - RegSvcs.exe (PID: 2184 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegS vcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B) - schtasks.exe (PID: 1760 cmdline:
schtasks.e xe" /creat e /f /tn " SMTP Servi ce" /xml " C:\Users\u ser\AppDat a\Local\Te mp\tmpCAE4 .tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3) - schtasks.exe (PID: 2308 cmdline:
schtasks.e xe" /creat e /f /tn " SMTP Servi ce Task" / xml "C:\Us ers\user\A ppData\Loc al\Temp\tm pBC45.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
- taskeng.exe (PID: 2804 cmdline:
taskeng.ex e {C8C4FF1 A-D055-4E8 6-80AC-436 03134EA50} S-1-5-21- 966771315- 3019405637 -367336477 -1006:user -PC\user:I nteractive :[1] MD5: 65EA57712340C09B1B0C427B4848AE05) - RegSvcs.exe (PID: 2912 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegS vcs.exe 0 MD5: 62CE5EF995FD63A1847A196C2E8B267B) - smtpsvc.exe (PID: 2084 cmdline:
"C:\Progra m Files (x 86)\SMTP S ervice\smt psvc.exe" 0 MD5: 62CE5EF995FD63A1847A196C2E8B267B)
- smtpsvc.exe (PID: 1832 cmdline:
"C:\Progra m Files (x 86)\SMTP S ervice\smt psvc.exe" MD5: 62CE5EF995FD63A1847A196C2E8B267B)
- cleanup
{"Version": "1.2.2.0", "Mutex": "910523a1-2f72-4f3f-a340-f1a8b5f9", "Group": "PHADDY", "Domain1": "vijayikohli1.bounceme.net", "Domain2": "127.0.0.1", "Port": 3132, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
Click to see the 29 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth |
| |
Click to see the 61 entries |
AV Detection |
---|
Source: | Author: Joe Security: |
Exploits |
---|
Source: | Author: Joe Security: |
Source: | Author: Joe Security: |
E-Banking Fraud |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Florian Roth: |
Source: | Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: |
Source: | Author: Perez Diego (@darkquassar), oscd.community: |
Source: | Author: frack113: |
Source: | Author: Florian Roth: |
Source: | Author: Nikita Nazarov, oscd.community: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: |
Source: | Author: juju4: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
Remote Access Functionality |
---|
Source: | Author: Joe Security: |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Exploits |
---|
Source: | Process created: | ||
Source: | Process created: |
Source: | Stream path '_1704547387/\x1CompObj' : |
Source: | Process created: |
Source: | File opened: |
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | TCP traffic: |
Source: | DNS query: |
Source: | TCP traffic: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: |
Source: | HTTP traffic detected: |