Loading ...

Play interactive tourEdit tour

Analysis Report Invoice NTE..02192020.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:226567
Start date:30.04.2020
Start time:14:52:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 29s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Invoice NTE..02192020.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.adwa.evad.winEXE@19/14@2/1
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 0.3% (good quality ratio 0.2%)
  • Quality average: 47.8%
  • Quality standard deviation: 37.5%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 350
  • Number of non-executed functions: 52
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe
  • Execution Graph export aborted for target StName.exe, PID 3764 because it is empty
  • Execution Graph export aborted for target wpasv.exe, PID 2928 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Hidden Files and Directories1Startup Items1Masquerading2Input Capture21Virtualization/Sandbox Evasion2Application Deployment SoftwareInput Capture21Data Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionStartup Items1Process Injection112Hidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationRegistry Run Keys / Startup Folder12Path InterceptionSoftware Packing13Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDisabling Security Tools1Credentials in FilesSecurity Software Discovery121Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion2Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection112Brute ForceSystem Information Discovery12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDeobfuscate/Decode Files or Information1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information3Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: Invoice NTE..02192020.exe.5104.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: norly.ddns.netVirustotal: Detection: 9%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files (x86)\WPA Service\wpasv.exeVirustotal: Detection: 28%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeVirustotal: Detection: 28%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Invoice NTE..02192020.exeVirustotal: Detection: 28%Perma Link
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000005.00000002.640593101.0000000003677000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.662806611.0000000002C40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.659186071.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.947134550.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.594728205.0000000003BC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.594308872.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.953621955.0000000003B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.618075299.0000000003420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.614348922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.548684358.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.663120568.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.618737691.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.549167583.00000000040C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.954578009.0000000004555000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.641081475.0000000003786000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.955095920.00000000046B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: wpasv.exe PID: 2928, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Invoice NTE..02192020.exe PID: 4028, type: MEMORY
Source: Yara matchFile source: Process Memory Space: wpasv.exe PID: 2964, type: MEMORY
Source: Yara matchFile source: Process Memory Space: StName.exe PID: 1116, type: MEMORY
Source: Yara matchFile source: Process Memory Space: StName.exe PID: 3764, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Invoice NTE..02192020.exe PID: 5104, type: MEMORY
Source: Yara matchFile source: 4.2.StName.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.wpasv.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\WPA Service\wpasv.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Invoice NTE..02192020.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.2.StName.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.wpasv.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 4x nop then inc dword ptr [ebp-0Ch]0_2_012C66E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 4x nop then inc dword ptr [ebp-0Ch]3_2_00FB66F0
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 4x nop then inc dword ptr [ebp-0Ch]5_2_00D566F0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49705 -> 194.5.99.91:9098
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49710 -> 194.5.99.91:9098
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: norly.ddns.net
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49705 -> 194.5.99.91:9098
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
Found strings which match to known social media urlsShow sources
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: norly.ddns.net
Urls found in memory or binary dataShow sources
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: StName.exe, 00000003.00000002.590686889.0000000000CB0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: Invoice NTE..02192020.exe, 00000002.00000002.953621955.0000000003B09000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000005.00000002.640593101.0000000003677000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.662806611.0000000002C40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.659186071.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.947134550.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.594728205.0000000003BC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.594308872.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.953621955.0000000003B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.618075299.0000000003420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.614348922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.548684358.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.663120568.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.618737691.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.549167583.00000000040C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.954578009.0000000004555000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.641081475.0000000003786000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.955095920.00000000046B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: wpasv.exe PID: 2928, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Invoice NTE..02192020.exe PID: 4028, type: MEMORY
Source: Yara matchFile source: Process Memory Space: wpasv.exe PID: 2964, type: MEMORY
Source: Yara matchFile source: Process Memory Space: StName.exe PID: 1116, type: MEMORY
Source: Yara matchFile source: Process Memory Space: StName.exe PID: 3764, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Invoice NTE..02192020.exe PID: 5104, type: MEMORY
Source: Yara matchFile source: 4.2.StName.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.wpasv.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000005.00000002.640593101.0000000003677000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.640593101.0000000003677000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.662806611.0000000002C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.659186071.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.659186071.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.947134550.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.947134550.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.594728205.0000000003BC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594728205.0000000003BC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.594308872.0000000003AB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594308872.0000000003AB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.953621955.0000000003B09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.618075299.0000000003420000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.614348922.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.614348922.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.548684358.0000000003FB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.548684358.0000000003FB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.953875534.0000000004385000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.663120568.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.618737691.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.549167583.00000000040C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.549167583.00000000040C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.954578009.0000000004555000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.641081475.0000000003786000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641081475.0000000003786000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.955095920.00000000046B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wpasv.exe PID: 2928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wpasv.exe PID: 2928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Invoice NTE..02192020.exe PID: 4028, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Invoice NTE..02192020.exe PID: 4028, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wpasv.exe PID: 2964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wpasv.exe PID: 2964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: StName.exe PID: 1116, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: StName.exe PID: 1116, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: StName.exe PID: 3764, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: StName.exe PID: 3764, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Invoice NTE..02192020.exe PID: 5104, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Invoice NTE..02192020.exe PID: 5104, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.StName.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.StName.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.wpasv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.wpasv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large array initializationsShow sources
Source: Invoice NTE..02192020.exe, aJfbTGZDoHdocsYYQBGAQzWxOoEG.csLarge array initialization: .cctor: array initializer size 3248
Source: StName.exe.0.dr, aJfbTGZDoHdocsYYQBGAQzWxOoEG.csLarge array initialization: .cctor: array initializer size 3248
Source: 0.2.Invoice NTE..02192020.exe.a70000.0.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.csLarge array initialization: .cctor: array initializer size 3248
Source: wpasv.exe.2.dr, aJfbTGZDoHdocsYYQBGAQzWxOoEG.csLarge array initialization: .cctor: array initializer size 3248
Source: 2.0.Invoice NTE..02192020.exe.6d0000.0.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.csLarge array initialization: .cctor: array initializer size 3248
Source: 2.2.Invoice NTE..02192020.exe.6d0000.1.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.csLarge array initialization: .cctor: array initializer size 3248
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Invoice NTE..02192020.exe
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_012C7B080_2_012C7B08
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_012C7B180_2_012C7B18
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_07A407100_2_07A40710
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_07A40FE00_2_07A40FE0
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_07A455050_2_07A45505
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_07A455100_2_07A45510
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_07A444E20_2_07A444E2
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_07A403C80_2_07A403C8
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_07A43B800_2_07A43B80
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_07A43B6F0_2_07A43B6F
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 2_2_010BE4712_2_010BE471
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 2_2_010BE4802_2_010BE480
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 2_2_010BBBD42_2_010BBBD4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_00FB7B183_2_00FB7B18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_00FB7B083_2_00FB7B08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B07103_2_075B0710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B0FE03_2_075B0FE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B55103_2_075B5510
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B55053_2_075B5505
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B44F03_2_075B44F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B44E13_2_075B44E1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B3B6F3_2_075B3B6F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B03C83_2_075B03C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_075B3B803_2_075B3B80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 4_2_0149E4714_2_0149E471
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 4_2_0149E4804_2_0149E480
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 4_2_0149BBD44_2_0149BBD4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 4_2_058C3E304_2_058C3E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 4_2_058C4A504_2_058C4A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 4_2_058C4B084_2_058C4B08
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_00D57B185_2_00D57B18
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_00D57B085_2_00D57B08
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_072007105_2_07200710
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_07200FE05_2_07200FE0
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_072055055_2_07205505
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_072055105_2_07205510
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_072044E25_2_072044E2
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_072044F05_2_072044F0
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_072003C85_2_072003C8
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_07203B6F5_2_07203B6F
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_07203B805_2_07203B80
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 6_2_02BD97886_2_02BD9788
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 6_2_02BDF5F86_2_02BDF5F8
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 6_2_02BDA6106_2_02BDA610
PE file contains strange resourcesShow sources
Source: Invoice NTE..02192020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: StName.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wpasv.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Invoice NTE..02192020.exeBinary or memory string: OriginalFilename vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000000.00000002.561047187.0000000006880000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary1.dll< vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000000.00000002.561047187.0000000006880000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameikpueju.exe8 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000000.00000002.547882192.00000000030C8000.00000004.00000001.sdmpBinary or memory string: OriginalFilename26.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000000.00000002.546844211.0000000002E60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUnhook.dll. vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exeBinary or memory string: OriginalFilename vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000000.543996291.00000000006D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameClassLibrary1.dll< vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000000.543996291.00000000006D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameikpueju.exe8 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.949231074.0000000000E60000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.953621955.0000000003B09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.953621955.0000000003B09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exe, 00000002.00000002.950454556.00000000010E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exeBinary or memory string: OriginalFilenameClassLibrary1.dll< vs Invoice NTE..02192020.exe
Source: Invoice NTE..02192020.exeBinary or memory string: OriginalFilenameikpueju.exe8 vs Invoice NTE..02192020.exe
Yara signature matchShow sources
Source: 00000005.00000002.640593101.0000000003677000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.640593101.0000000003677000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.662806611.0000000002C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.659186071.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.659186071.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.947134550.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.947134550.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.594728205.0000000003BC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.594728205.0000000003BC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.594308872.0000000003AB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.594308872.0000000003AB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.953621955.0000000003B09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.618075299.0000000003420000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.614348922.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.614348922.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.548684358.0000000003FB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.548684358.0000000003FB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.953875534.0000000004385000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.663120568.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.618737691.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.549167583.00000000040C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.549167583.00000000040C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.954578009.0000000004555000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.641081475.0000000003786000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641081475.0000000003786000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.955095920.00000000046B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wpasv.exe PID: 2928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: wpasv.exe PID: 2928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Invoice NTE..02192020.exe PID: 4028, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Invoice NTE..02192020.exe PID: 4028, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wpasv.exe PID: 2964, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: wpasv.exe PID: 2964, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: StName.exe PID: 1116, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: StName.exe PID: 1116, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: StName.exe PID: 3764, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: StName.exe PID: 3764, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Invoice NTE..02192020.exe PID: 5104, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Invoice NTE..02192020.exe PID: 5104, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.StName.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.StName.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.StName.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.wpasv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.wpasv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.wpasv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: Invoice NTE..02192020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: StName.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wpasv.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@19/14@2/1
Creates files inside the program directoryShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile created: C:\Program Files (x86)\WPA ServiceJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{624de92d-efc0-4fbf-8d91-5eb1b3fdc8a4}
PE file has an executable .text section and no other executable sectionShow sources
Source: Invoice NTE..02192020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: Invoice NTE..02192020.exeVirustotal: Detection: 28%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile read: C:\Users\user\Desktop\Invoice NTE..02192020.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Invoice NTE..02192020.exe 'C:\Users\user\Desktop\Invoice NTE..02192020.exe'
Source: unknownProcess created: C:\Users\user\Desktop\Invoice NTE..02192020.exe C:\Users\user\Desktop\Invoice NTE..02192020.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe
Source: unknownProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe 'C:\Program Files (x86)\WPA Service\wpasv.exe'
Source: unknownProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe C:\Program Files (x86)\WPA Service\wpasv.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\erczoafd.mv5'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\erczoafd.mv5'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\erczoafd.mv5'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\erczoafd.mv5'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\erczoafd.mv5'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\x4pzbufr.i4e'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\x4pzbufr.i4e'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\x4pzbufr.i4e'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\x4pzbufr.i4e'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\x4pzbufr.i4e'
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess created: C:\Users\user\Desktop\Invoice NTE..02192020.exe C:\Users\user\Desktop\Invoice NTE..02192020.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe C:\Program Files (x86)\WPA Service\wpasv.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: Invoice NTE..02192020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Invoice NTE..02192020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: 26.pdb source: Invoice NTE..02192020.exe, 00000000.00000002.547882192.00000000030C8000.00000004.00000001.sdmp, StName.exe, 00000003.00000002.591992869.0000000002960000.00000004.00000001.sdmp, wpasv.exe, 00000005.00000002.637897265.0000000002520000.00000004.00000001.sdmp
Source: Binary string: ?\C:\Windows\dll\mscorlib.pdb source: Invoice NTE..02192020.exe, 00000002.00000002.949401331.0000000000E94000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Invoice NTE..02192020.exe, 00000002.00000003.881217146.0000000008692000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\Unhook\Unhook\obj\Debug\Unhook.pdb source: Invoice NTE..02192020.exe, 00000000.00000002.546844211.0000000002E60000.00000004.00000001.sdmp, StName.exe, 00000003.00000002.591992869.0000000002960000.00000004.00000001.sdmp, wpasv.exe, 00000005.00000002.637897265.0000000002520000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ClassLibrary1.pdbD-^- P-_CorDllMainmscoree.dll source: Invoice NTE..02192020.exe
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ClassLibrary1.pdb source: wpasv.exe, Invoice NTE..02192020.exe
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Invoice NTE..02192020.exe, 00000002.00000002.954749538.00000000045CB000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: Invoice NTE..02192020.exe, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: N System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Invoice NTE..02192020.exe, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Invoice NTE..02192020.exe, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: MyHandler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: StName.exe.0.dr, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: N System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: StName.exe.0.dr, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: StName.exe.0.dr, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: MyHandler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Invoice NTE..02192020.exe.a70000.0.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: N System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Invoice NTE..02192020.exe.a70000.0.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Invoice NTE..02192020.exe.a70000.0.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: MyHandler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: wpasv.exe.2.dr, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: N System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: wpasv.exe.2.dr, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: wpasv.exe.2.dr, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: MyHandler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Invoice NTE..02192020.exe.6d0000.0.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: N System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Invoice NTE..02192020.exe.6d0000.0.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Invoice NTE..02192020.exe.6d0000.0.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: MyHandler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Invoice NTE..02192020.exe.6d0000.1.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: N System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Invoice NTE..02192020.exe.6d0000.1.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Invoice NTE..02192020.exe.6d0000.1.unpack, aJfbTGZDoHdocsYYQBGAQzWxOoEG.cs.Net Code: MyHandler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
PE file contains an invalid checksumShow sources
Source: Invoice NTE..02192020.exeStatic PE information: real checksum: 0x6578a should be: 0x8cfa2
Source: wpasv.exe.2.drStatic PE information: real checksum: 0x6578a should be: 0x8cfa2
Source: StName.exe.0.drStatic PE information: real checksum: 0x6578a should be: 0x8cfa2
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_012CC300 push 012CC39Fh; ret 0_2_012CC337
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeCode function: 0_2_012C7250 push 84071AC3h; ret 0_2_012C7259
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_00FBCAD0 push eax; retf 3_2_00FBCB0B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 3_2_00FB7250 push 8406D1C3h; ret 3_2_00FB7259
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeCode function: 4_2_058C6E5D push FFFFFF8Bh; iretd 4_2_058C6E5F
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 5_2_00D57250 push 840696C3h; ret 5_2_00D57259
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 6_2_02BD69F8 pushad ; retf 6_2_02BD69F9
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 6_2_02BD69FA push esp; retf 6_2_02BD6A01
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 6_2_02BD6CFF pushfd ; iretd 6_2_02BD6D0E
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.73560588219
Source: initial sampleStatic PE information: section name: .text entropy: 7.73560588219
Source: initial sampleStatic PE information: section name: .text entropy: 7.73560588219
.NET source code contains many randomly named methodsShow sources
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.Invoice NTE..02192020.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files (x86)\WPA Service\wpasv.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeJump to dropped file
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile created: C:\Program Files (x86)\WPA Service\wpasv.exeJump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folderShow sources
Source: C:\Program Files (x86)\WPA Service\wpasv.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe\:Zone.Identifier:$DATAJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeFile opened: C:\Users\user\Desktop\Invoice NTE..02192020.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeThread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeWindow / User API: threadDelayed 3851Jump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeWindow / User API: threadDelayed 5198Jump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeWindow / User API: foregroundWindowGot 529Jump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeWindow / User API: foregroundWindowGot 732Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exe TID: 4684Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exe TID: 4936Thread sleep time: -19369081277395017s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe TID: 4572Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe TID: 2432Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exe TID: 2960Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exe TID: 4684Thread sleep time: -922337203685477s >= -30000s
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Invoice NTE..02192020.exe, 00000002.00000002.950454556.00000000010E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Invoice NTE..02192020.exe, 00000002.00000002.949401331.0000000000E94000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYr+
Source: Invoice NTE..02192020.exe, 00000002.00000002.950454556.00000000010E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Invoice NTE..02192020.exe, 00000002.00000002.950454556.00000000010E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Invoice NTE..02192020.exe, 00000002.00000002.950454556.00000000010E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeMemory written: C:\Users\user\Desktop\Invoice NTE..02192020.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeMemory written: C:\Program Files (x86)\WPA Service\wpasv.exe base: 400000 value starts with: 4D5AJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeProcess created: C:\Users\user\Desktop\Invoice NTE..02192020.exe C:\Users\user\Desktop\Invoice NTE..02192020.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe C:\Program Files (x86)\WPA Service\wpasv.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Invoice NTE..02192020.exe, 00000002.00000002.952222401.0000000002D8E000.00000004.00000001.sdmpBinary or memory string: Program Managerh
Source: Invoice NTE..02192020.exe, 00000002.00000002.952222401.0000000002D8E000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: Invoice NTE..02192020.exe, 00000002.00000002.950906059.0000000001570000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Invoice NTE..02192020.exe, 00000002.00000002.950906059.0000000001570000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Invoice NTE..02192020.exe, 00000002.00000002.950906059.0000000001570000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: Program Managert
Source: Invoice NTE..02192020.exe, 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: Program Manager0"
Source: Invoice NTE..02192020.exe, 00000002.00000002.950906059.0000000001570000.00000002.00000001.sdmpBinary or memory string: =Program Managerb

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Users\user\Desktop\Invoice NTE..02192020.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Users\user\Desktop\Invoice NTE..02192020.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Program Files (x86)\WPA Service\wpasv.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Program Files (x86)\WPA Service\wpasv.exe VolumeInformation
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: StName.exe, 00000003.00000002.590819912.0000000000CED000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: StName.exe, 00000003.00000002.590819912.0000000000CED000.00000004.00000020.sdmpBinary or memory string: amFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Invoice NTE..02192020.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StName.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\WPA Service\wpasv.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000005.00000002.640593101.0000000003677000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.662806611.0000000002C40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.659186071.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.951269747.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.947134550.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.594728205.0000000003BC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.594308872.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.953621955.0000000003B09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.618075299.0000000003420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.614348922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.548684358.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.663120568.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.618737691.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.549167583.00000000040C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.954578009.0000000004555000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.641081475.00<