Loading ...

Play interactive tourEdit tour

Analysis Report 0987654324.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:217152
Start date:23.03.2020
Start time:07:14:43
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:0987654324.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@10/8@3/2
EGA Information:
  • Successful, ratio: 60%
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, MusNotifyIcon.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 40.90.137.125, 40.90.137.126, 40.90.23.206, 51.104.136.2, 40.127.240.158
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, lgin.msa.trafficmanager.net, login.live.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Startup Items1Startup Items1Software Packing11Input Capture11Security Software Discovery1Application Deployment SoftwareInput Capture11Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionRegistry Run Keys / Startup Folder2Access Token Manipulation1Disabling Security Tools1Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationHidden Files and Directories1Process Injection112Deobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingScripting11Credentials in FilesVirtualization/Sandbox Evasion2Logon ScriptsInput CaptureData EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading2Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol1Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskHidden Files and Directories1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion2Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection112KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsDLL Side-Loading1Private KeysSecurity Software DiscoveryReplication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\WerFaultSecure\tcmsetup.exeAvira: detection malicious, Label: HEUR/AGEN.1046681
Antivirus detection for sampleShow sources
Source: 0987654324.exeAvira: detection malicious, Label: HEUR/AGEN.1046681
Found malware configurationShow sources
Source: RegAsm.exe.5480.11.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.72", "79.134.225.72:7690", "255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for domain / URLShow sources
Source: cashflow.hopto.orgVirustotal: Detection: 7%Perma Link
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1362309659.0000000004110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5480, type: MEMORY
Source: Yara matchFile source: 3.2.RegAsm.exe.5e00000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.5e00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49936 -> 197.210.85.254:7690
Source: global trafficTCP traffic: 192.168.2.6:49946 -> 79.134.225.72:7690
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: cashflow.hopto.org cashflow.hopto.org
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 79.134.225.72 79.134.225.72
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: cashflow.hopto.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)Show sources
Source: RegAsm.exe, 00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1362309659.0000000004110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5480, type: MEMORY
Source: Yara matchFile source: 3.2.RegAsm.exe.5e00000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.5e00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1437794445.00000000059F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.1362309659.0000000004110000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 5480, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 5480, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.RegAsm.exe.59f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.5e00000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.5e00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Binary is likely a compiled AutoIt script fileShow sources
Source: 0987654324.exe, 00000000.00000000.1005622789.000000000104F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: 0987654324.exe, 00000000.00000000.1005622789.000000000104F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: tcmsetup.exe, 00000006.00000000.1163372702.0000000000B4F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: tcmsetup.exe, 00000006.00000000.1163372702.0000000000B4F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: 0987654324.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: 0987654324.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Desktop\0987654324.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_057E17F2 NtQuerySystemInformation,3_2_057E17F2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_057E17B7 NtQuerySystemInformation,3_2_057E17B7
Detected potential crypto functionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_056CB0603_2_056CB060
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_056C87383_2_056C8738
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_056C2FA83_2_056C2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_056C23A03_2_056C23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_056C306F3_2_056C306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_056C94573_2_056C9457
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_056C9C383_2_056C9C38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_056C93903_2_056C9390
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 4_2_028B01B74_2_028B01B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_052B385011_2_052B3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_052B2FA811_2_052B2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_052B306F11_2_052B306F
PE file contains strange resourcesShow sources
Source: 0987654324.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0987654324.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0987654324.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0987654324.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tcmsetup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tcmsetup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tcmsetup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tcmsetup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Yara signature matchShow sources
Source: 0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.1437794445.00000000059F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.1437794445.00000000059F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.1362309659.0000000004110000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 5480, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 5480, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WerFaultSecure.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 3.2.RegAsm.exe.59f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.RegAsm.exe.59f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.5e00000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.RegAsm.exe.5e00000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.5e00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.RegAsm.exe.5e00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@10/8@3/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_057E15B2 AdjustTokenPrivileges,3_2_057E15B2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_057E157B AdjustTokenPrivileges,3_2_057E157B
Creates files inside the program directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\WPA ServiceJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\0987654324.exeFile created: C:\Users\user\WerFaultSecureJump to behavior
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c0074ed4-b3f6-4865-a60b-49988bfbeb71}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2480:120:WilError_01
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\WerFaultSecure\WerFaultSecure.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: 0987654324.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\0987654324.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\0987654324.exeFile read: C:\Users\user\Desktop\0987654324.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\0987654324.exe 'C:\Users\user\Desktop\0987654324.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\WerFaultSecure\WerFaultSecure.vbs'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe 'C:\Program Files (x86)\WPA Service\wpasv.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\WerFaultSecure\tcmsetup.exe 'C:\Users\user\WerFaultSecure\tcmsetup.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Users\user\Desktop\0987654324.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\WerFaultSecure\tcmsetup.exe 'C:\Users\user\WerFaultSecure\tcmsetup.exe' Jump to behavior
Source: C:\Users\user\WerFaultSecure\tcmsetup.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: 0987654324.exeStatic file information: File size 1502720 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: 0987654324.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 0987654324.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 0987654324.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 0987654324.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0987654324.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 0987654324.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: 0987654324.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 00000003.00000002.1431900323.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000003.00000002.1431900323.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000003.00000002.1431900323.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: RegAsm.pdb source: wpasv.exe, wpasv.exe.3.dr
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000003.00000002.1431900323.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\RegAsm.pdb` source: RegAsm.exe, 00000003.00000002.1431900323.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000003.00000002.1431900323.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000003.00000002.1437937637.0000000005B20000.00000002.00000001.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: 0987654324.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0987654324.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0987654324.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0987654324.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0987654324.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 4_2_00BF0639 push ebx; retn 007Dh4_2_00BF063C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_02BC0639 push esp; ret 11_2_02BC063B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_02BC0700 push esp; iretd 11_2_02BC0703
.NET source code contains many randomly named methodsShow sources
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\WPA Service\wpasv.exeJump to dropped file
Source: C:\Users\user\Desktop\0987654324.exeFile created: C:\Users\user\WerFaultSecure\tcmsetup.exeJump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\0987654324.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WerFaultSecure.urlJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\0987654324.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WerFaultSecure.urlJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\0987654324.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\0987654324.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\WerFaultSecure\tcmsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\WerFaultSecure\tcmsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\0987654324.exeWindow / User API: threadDelayed 625Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 496Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 395Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 512Jump to behavior
Source: C:\Users\user\WerFaultSecure\tcmsetup.exeWindow / User API: threadDelayed 523Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\0987654324.exe TID: 5796Thread sleep count: 625 > 30Jump to behavior
Source: C:\Users\user\Desktop\0987654324.exe TID: 5796Thread sleep count: 178 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5700Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4532Thread sleep time: -200000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exe TID: 5196Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\WerFaultSecure\tcmsetup.exe TID: 1472Thread sleep count: 523 > 30Jump to behavior
Source: C:\Users\user\WerFaultSecure\tcmsetup.exe TID: 1472Thread sleep count: 220 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6052Thread sleep time: -922337203685477s >= -30000sJump to behavior
Contains functionality to query system informationShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_057E12DA GetSystemInfo,3_2_057E12DA
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: RegAsm.exe, 00000003.00000002.1438499870.0000000006830000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000003.00000002.1438499870.0000000006830000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000003.00000002.1438499870.0000000006830000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000003.00000003.1334443404.00000000013BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 00000003.00000002.1438499870.0000000006830000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\0987654324.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\WerFaultSecure\tcmsetup.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\0987654324.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\WerFaultSecure\tcmsetup.exe 'C:\Users\user\WerFaultSecure\tcmsetup.exe' Jump to behavior
Source: C:\Users\user\WerFaultSecure\tcmsetup.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 0987654324.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000003.00000002.1434108030.000000000355A000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: RegAsm.exe, 00000003.00000002.1431560714.0000000001990000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000003.00000002.1431560714.0000000001990000.00000002.00000001.sdmpBinary or memory string: Progman
Source: RegAsm.exe, 00000003.00000002.1431560714.0000000001990000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1362309659.0000000004110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5480, type: MEMORY
Source: Yara matchFile source: 3.2.RegAsm.exe.5e00000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.5e00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: RegAsm.exe, 00000003.00000002.1433804769.00000000034C0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000003.00000002.1433804769.00000000034C0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegAsm.exe, 0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1362309659.0000000004110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5480, type: MEMORY
Source: Yara matchFile source: 3.2.RegAsm.exe.5e00000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.5e00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_057E29FE bind,3_2_057E29FE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_057E29AC bind,3_2_057E29AC

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.72", "79.134.225.72:7690", "255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 217152 Sample: 0987654324.exe Startdate: 23/03/2020 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 7 0987654324.exe 4 2->7         started        11 wscript.exe 1 2->11         started        13 wpasv.exe 4 2->13         started        process3 file4 30 C:\Users\user\WerFaultSecure\tcmsetup.exe, PE32 7->30 dropped 50 Maps a DLL or memory area into another process 7->50 15 RegAsm.exe 1 10 7->15         started        20 tcmsetup.exe 11->20         started        22 conhost.exe 13->22         started        signatures5 process6 dnsIp7 32 cashflow.hopto.org 197.210.85.254, 7690 unknown Nigeria 15->32 34 79.134.225.72, 7690 unknown Switzerland 15->34 26 C:\Users\user\AppData\Roaming\...\run.dat, data 15->26 dropped 28 C:\Program Files (x86)\...\wpasv.exe, PE32 15->28 dropped 36 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->36 38 Antivirus detection for dropped file 20->38 40 Maps a DLL or memory area into another process 20->40 24 RegAsm.exe 3 20->24         started        file8 signatures9 process10

Simulations

Behavior and APIs

TimeTypeDescription
07:16:00AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WerFaultSecure.url
07:16:13API Interceptor694x Sleep call for process: RegAsm.exe modified
07:16:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WPA Service C:\Program Files (x86)\WPA Service\wpasv.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
0987654324.exe100%AviraHEUR/AGEN.1046681

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\WerFaultSecure\tcmsetup.exe100%AviraHEUR/AGEN.1046681
C:\Program Files (x86)\WPA Service\wpasv.exe1%VirustotalBrowse
C:\Program Files (x86)\WPA Service\wpasv.exe0%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
11.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
0.0.0987654324.exe.fc0000.0.unpack100%AviraHEUR/AGEN.1046681Download File
6.0.tcmsetup.exe.ac0000.0.unpack100%AviraHEUR/AGEN.1046681Download File

Domains

SourceDetectionScannerLabelLink
cashflow.hopto.org7%VirustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WerFaultSecure.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.1362101561.0000000003110000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x24a47:$a: NanoCore
    • 0x24aa0:$a: NanoCore
    • 0x24add:$a: NanoCore
    • 0x24b56:$a: NanoCore
    • 0x24aa9:$b: ClientPlugin
    • 0x24ae6:$b: ClientPlugin
    • 0x253e4:$b: ClientPlugin
    • 0x253f1:$b: ClientPlugin
    • 0x1c29f:$e: KeepAlive
    • 0x24f31:$g: LogClientMessage
    • 0x24eb1:$i: get_Connected
    • 0x16a79:$j: #=q
    • 0x16aa9:$j: #=q
    • 0x16ae5:$j: #=q
    • 0x16b0d:$j: #=q
    • 0x16b3d:$j: #=q
    • 0x16b6d:$j: #=q
    • 0x16b9d:$j: #=q
    • 0x16bcd:$j: #=q
    • 0x16be9:$j: #=q
    • 0x16c19:$j: #=q
    00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000003.00000002.1436045946.0000000004507000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x33e5:$a: NanoCore
      • 0x343e:$a: NanoCore
      • 0x347b:$a: NanoCore
      • 0x34f4:$a: NanoCore
      • 0x16b9f:$a: NanoCore
      • 0x16bb4:$a: NanoCore
      • 0x16be9:$a: NanoCore
      • 0x2f66b:$a: NanoCore
      • 0x2f680:$a: NanoCore
      • 0x2f6b5:$a: NanoCore
      • 0x3447:$b: ClientPlugin
      • 0x3484:$b: ClientPlugin
      • 0x3d82:$b: ClientPlugin
      • 0x3d8f:$b: ClientPlugin
      • 0x1695b:$b: ClientPlugin
      • 0x16976:$b: ClientPlugin
      • 0x169a6:$b: ClientPlugin
      • 0x16bbd:$b: ClientPlugin
      • 0x16bf2:$b: ClientPlugin
      • 0x2f427:$b: ClientPlugin
      • 0x2f442:$b: ClientPlugin
      00000003.00000002.1437794445.00000000059F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      00000003.00000002.1437794445.00000000059F0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0000000B.00000002.1354842366.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          00000003.00000002.1430417703.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfcf5:$a: NanoCore
          • 0xfd05:$a: NanoCore
          • 0xff39:$a: NanoCore
          • 0xff4d:$a: NanoCore
          • 0xff8d:$a: NanoCore
          • 0xfd54:$b: ClientPlugin
          • 0xff56:$b: ClientPlugin
          • 0xff96:$b: ClientPlugin
          • 0xfe7b:$c: ProjectData
          • 0x10882:$d: DESCrypto
          • 0x1824e:$e: KeepAlive
          • 0x1623c:$g: LogClientMessage
          • 0x12437:$i: get_Connected
          • 0x10bb8:$j: #=q
          • 0x10be8:$j: #=q
          • 0x10c04:$j: #=q
          • 0x10c34:$j: #=q
          • 0x10c50:$j: #=q
          • 0x10c6c:$j: #=q
          • 0x10c9c:$j: #=q
          • 0x10cb8:$j: #=q
          00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xf7ad:$x1: NanoCore.ClientPluginHost
          • 0xf7da:$x2: IClientNetworkHost
          00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xf7ad:$x2: NanoCore.ClientPluginHost
          • 0x10888:$s4: PipeCreated
          • 0xf7c7:$s5: IClientLoggingHost
          00000003.00000002.1438122244.0000000005E00000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            0000000B.00000002.1362309659.0000000004110000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              0000000B.00000002.1362309659.0000000004110000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0x4a3e5:$a: NanoCore
              • 0x4a43e:$a: NanoCore
              • 0x4a47b:$a: NanoCore
              • 0x4a4f4:$a: NanoCore
              • 0x5db9f:$a: NanoCore
              • 0x5dbb4:$a: NanoCore
              • 0x5dbe9:$a: NanoCore
              • 0x7666b:$a: NanoCore
              • 0x76680:$a: NanoCore
              • 0x766b5:$a: NanoCore
              • 0x4a447:$b: ClientPlugin
              • 0x4a484:$b: ClientPlugin
              • 0x4ad82:$b: ClientPlugin
              • 0x4ad8f:$b: ClientPlugin
              • 0x5d95b:$b: ClientPlugin
              • 0x5d976:$b: ClientPlugin
              • 0x5d9a6:$b: ClientPlugin
              • 0x5dbbd:$b: ClientPlugin
              • 0x5dbf2:$b: ClientPlugin
              • 0x76427:$b: ClientPlugin
              • 0x76442:$b: ClientPlugin
              Process Memory Space: RegAsm.exe PID: 5464Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0x1d9ec:$x1: NanoCore.ClientPluginHost
              • 0x3f053:$x1: NanoCore.ClientPluginHost
              • 0x44c12:$x1: NanoCore.ClientPluginHost
              • 0x55a89:$x1: NanoCore.ClientPluginHost
              • 0x15a47a:$x1: NanoCore.ClientPluginHost
              • 0x16a0e7:$x1: NanoCore.ClientPluginHost
              • 0x23536b:$x1: NanoCore.ClientPluginHost
              • 0x1da12:$x2: IClientNetworkHost
              • 0x3f079:$x2: IClientNetworkHost
              • 0x44c57:$x2: IClientNetworkHost
              • 0x55ace:$x2: IClientNetworkHost
              • 0x15a4a0:$x2: IClientNetworkHost
              • 0x16a148:$x2: IClientNetworkHost
              • 0x2353b0:$x2: IClientNetworkHost
              • 0x16f54d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
              • 0x17d4bf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
              Process Memory Space: RegAsm.exe PID: 5464JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
                Process Memory Space: RegAsm.exe PID: 5464NanoCoreunknown Kevin Breen <kevin@techanarchy.net>
                • 0x1d8de:$a: NanoCore
                • 0x1d97f:$a: NanoCore
                • 0x1d9ec:$a: NanoCore
                • 0x1daad:$a: NanoCore
                • 0x1e97e:$a: NanoCore
                • 0x1e9d1:$a: NanoCore
                • 0x1ea0a:$a: NanoCore
                • 0x1ea7d:$a: NanoCore
                • 0x3ef45:$a: NanoCore
                • 0x3efe6:$a: NanoCore
                • 0x3f053:$a: NanoCore
                • 0x3f114:$a: NanoCore
                • 0x3ffe5:$a: NanoCore
                • 0x40038:$a: NanoCore
                • 0x40071:$a: NanoCore
                • 0x400e4:$a: NanoCore
                • 0x44b8c:$a: NanoCore
                • 0x44bb9:$a: NanoCore
                • 0x44c12:$a: NanoCore
                • 0x4c421:$a: NanoCore
                • 0x4c434:$a: NanoCore
                Process Memory Space: RegAsm.exe PID: 5480Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
                • 0x103e9:$x1: NanoCore.ClientPluginHost
                • 0x1da1c:$x1: NanoCore.ClientPluginHost
                • 0x524b8:$x1: NanoCore.ClientPluginHost
                • 0x58077:$x1: NanoCore.ClientPluginHost
                • 0x68eee:$x1: NanoCore.ClientPluginHost
                • 0x1040f:$x2: IClientNetworkHost
                • 0x1da7d:$x2: IClientNetworkHost
                • 0x524de:$x2: IClientNetworkHost
                • 0x580bc:$x2: IClientNetworkHost
                • 0x68f33:$x2: IClientNetworkHost
                • 0x22e82:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
                • 0x30df4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
                Process Memory Space: RegAsm.exe PID: 5480JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
                  Process Memory Space: RegAsm.exe PID: 5480NanoCoreunknown Kevin Breen <kevin@techanarchy.net>
                  • 0x35a3:$a: NanoCore
                  • 0x3629:$a: NanoCore
                  • 0x377d:$a: NanoCore
                  • 0x102db:$a: NanoCore
                  • 0x1037c:$a: NanoCore
                  • 0x103e9:$a: NanoCore
                  • 0x104aa:$a: NanoCore
                  • 0x1137b:$a: NanoCore
                  • 0x113ce:$a: NanoCore
                  • 0x11407:$a: NanoCore
                  • 0x1147a:$a: NanoCore
                  • 0x12b50:$a: NanoCore
                  • 0x12ebb:$a: NanoCore
                  • 0x12efb:$a: NanoCore
                  • 0x12f3b:$a: NanoCore
                  • 0x12f71:$a: NanoCore
                  • 0x12f8d:$a: NanoCore
                  • 0x1d521:$a: NanoCore
                  • 0x1d53d:$a: NanoCore
                  • 0x1d698:$a: NanoCore
                  • 0x1d6a7:$a: NanoCore

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  3.2.RegAsm.exe.59f0000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
                  • 0xe75:$x1: NanoCore.ClientPluginHost
                  • 0xe8f:$x2: IClientNetworkHost
                  3.2.RegAsm.exe.59f0000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
                  • 0xe75:$x2: NanoCore.ClientPluginHost
                  • 0x1261:$s3: PipeExists
                  • 0x1136:$s4: PipeCreated
                  • 0xeb0:$s5: IClientLoggingHost
                  3.2.RegAsm.exe.5e00000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
                  • 0xd9ad:$x1: NanoCore.ClientPluginHost
                  • 0xd9da:$x2: IClientNetworkHost
                  3.2.RegAsm.exe.5e00000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
                  • 0xd9ad:$x2: NanoCore.ClientPluginHost
                  • 0xea88:$s4: PipeCreated
                  • 0xd9c7:$s5: IClientLoggingHost
                  3.2.RegAsm.exe.5e00000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
                    3.2.RegAsm.exe.5e00000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
                    • 0xf7ad:$x1: NanoCore.ClientPluginHost
                    • 0xf7da:$x2: IClientNetworkHost
                    3.2.RegAsm.exe.5e00000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
                    • 0xf7ad:$x2: NanoCore.ClientPluginHost
                    • 0x10888:$s4: PipeCreated
                    • 0xf7c7:$s5: IClientLoggingHost
                    3.2.RegAsm.exe.5e00000.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
                      11.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
                      • 0x1018d:$x1: NanoCore.ClientPluginHost
                      • 0x101ca:$x2: IClientNetworkHost
                      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
                      11.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
                      • 0xff05:$x1: NanoCore Client.exe
                      • 0x1018d:$x2: NanoCore.ClientPluginHost
                      • 0x117c6:$s1: PluginCommand
                      • 0x117ba:$s2: FileCommand
                      • 0x1266b:$s3: PipeExists
                      • 0x18422:$s4: PipeCreated
                      • 0x101b7:$s5: IClientLoggingHost
                      11.2.RegAsm.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
                        11.2.RegAsm.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
                        • 0xfef5:$a: NanoCore
                        • 0xff05:$a: NanoCore
                        • 0x10139:$a: NanoCore
                        • 0x1014d:$a: NanoCore
                        • 0x1018d:$a: NanoCore
                        • 0xff54:$b: ClientPlugin
                        • 0x10156:$b: ClientPlugin
                        • 0x10196:$b: ClientPlugin
                        • 0x1007b:$c: ProjectData
                        • 0x10a82:$d: DESCrypto
                        • 0x1844e:$e: KeepAlive
                        • 0x1643c:$g: LogClientMessage
                        • 0x12637:$i: get_Connected
                        • 0x10db8:$j: #=q
                        • 0x10de8:$j: #=q
                        • 0x10e04:$j: #=q
                        • 0x10e34:$j: #=q
                        • 0x10e50:$j: #=q
                        • 0x10e6c:$j: #=q
                        • 0x10e9c:$j: #=q
                        • 0x10eb8:$j: #=q
                        3.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
                        • 0x1018d:$x1: NanoCore.ClientPluginHost
                        • 0x101ca:$x2: IClientNetworkHost
                        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
                        3.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
                        • 0xff05:$x1: NanoCore Client.exe
                        • 0x1018d:$x2: NanoCore.ClientPluginHost
                        • 0x117c6:$s1: PluginCommand
                        • 0x117ba:$s2: FileCommand
                        • 0x1266b:$s3: PipeExists
                        • 0x18422:$s4: PipeCreated
                        • 0x101b7:$s5: IClientLoggingHost
                        3.2.RegAsm.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
                          3.2.RegAsm.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
                          • 0xfef5:$a: NanoCore
                          • 0xff05:$a: NanoCore
                          • 0x10139:$a: NanoCore
                          • 0x1014d:$a: NanoCore
                          • 0x1018d:$a: NanoCore
                          • 0xff54:$b: ClientPlugin
                          • 0x10156:$b: ClientPlugin
                          • 0x10196:$b: ClientPlugin
                          • 0x1007b:$c: ProjectData
                          • 0x10a82:$d: DESCrypto
                          • 0x1844e:$e: KeepAlive
                          • 0x1643c:$g: LogClientMessage
                          • 0x12637:$i: get_Connected
                          • 0x10db8:$j: #=q
                          • 0x10de8:$j: #=q
                          • 0x10e04:$j: #=q
                          • 0x10e34:$j: #=q
                          • 0x10e50:$j: #=q
                          • 0x10e6c:$j: #=q
                          • 0x10e9c:$j: #=q
                          • 0x10eb8:$j: #=q

                          Sigma Overview


                          System Summary:

                          bar