Loading ...

Play interactive tourEdit tour

Analysis Report Documents RF V23665.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:228963
Start date:11.05.2020
Start time:09:16:48
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Documents RF V23665.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@5/7@0/1
EGA Information:
  • Successful, ratio: 33.3%
HDC Information:
  • Successful, ratio: 20.8% (good quality ratio 3%)
  • Quality average: 10.1%
  • Quality standard deviation: 25%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 93.184.221.240
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Execution Graph export aborted for target MSBuild.exe, PID 5560 because it is empty
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Hidden Files and Directories1Process Injection12Masquerading2Input Capture11Virtualization/Sandbox Evasion12Application Deployment SoftwareInput Capture11Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing11Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDisabling Security Tools1Credentials in FilesSecurity Software Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion12Account ManipulationSystem Information Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection12Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDeobfuscate/Decode Files or Information1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Documents RF V23665.exeVirustotal: Detection: 27%Perma Link
Source: Documents RF V23665.exeReversingLabs: Detection: 35%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1187788937.0000000003A43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5560, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.MSBuild.exe.800000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49747 -> 185.140.53.12:1985
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49747 -> 185.140.53.12:1985
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.208.46
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.208.46
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.208.46
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.208.46
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.12
Urls found in memory or binary dataShow sources
Source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)Show sources
Source: MSBuild.exe, 00000002.00000002.1187788937.0000000003A43000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1187788937.0000000003A43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5560, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 5560, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 5560, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Binary is likely a compiled AutoIt script fileShow sources
Source: Documents RF V23665.exe, 00000000.00000000.757269426.000000000136E000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: Documents RF V23665.exe, 00000000.00000000.757269426.000000000136E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Documents RF V23665.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: Documents RF V23665.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Documents RF V23665.exe
Detected potential crypto functionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_04BF2FA82_2_04BF2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_04BF38502_2_04BF3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_04BF23A02_2_04BF23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_04BF306F2_2_04BF306F
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 4_2_00F5692F4_2_00F5692F
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 4_2_00F569504_2_00F56950
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 4_2_00F56D084_2_00F56D08
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 4_2_018F07084_2_018F0708
PE file contains strange resourcesShow sources
Source: Documents RF V23665.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Documents RF V23665.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Documents RF V23665.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Documents RF V23665.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Documents RF V23665.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Documents RF V23665.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wpasv.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wpasv.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wpasv.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature matchShow sources
Source: 00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 5560, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 5560, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 2.2.MSBuild.exe.800000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.MSBuild.exe.800000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 2.2.MSBuild.exe.800000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Binary contains paths to development resourcesShow sources
Source: wpasv.exe, 00000004.00000002.876899136.00000000036A0000.00000004.00000001.sdmpBinary or memory string: q)(C:\Program Files (x86)\WPA Service\*.sln
Source: wpasv.exe, 00000004.00000000.866719540.0000000000F52000.00000002.00020000.sdmp, wpasv.exe.2.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: wpasv.exe, 00000004.00000000.866719540.0000000000F52000.00000002.00020000.sdmp, wpasv.exe.2.drBinary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
Source: wpasv.exe, 00000004.00000000.866719540.0000000000F52000.00000002.00020000.sdmp, wpasv.exe.2.drBinary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
Source: wpasv.exeBinary or memory string: *.sln
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@5/7@0/1
Creates files inside the program directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile created: C:\Program Files (x86)\WPA ServiceJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1b68869e-dd8c-4eea-829f-d7272a505d3a}
PE file has an executable .text section and no other executable sectionShow sources
Source: Documents RF V23665.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Documents RF V23665.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Documents RF V23665.exeVirustotal: Detection: 27%
Source: Documents RF V23665.exeReversingLabs: Detection: 35%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Documents RF V23665.exe 'C:\Users\user\Desktop\Documents RF V23665.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe
Source: unknownProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe 'C:\Program Files (x86)\WPA Service\wpasv.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Documents RF V23665.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Documents RF V23665.exeStatic file information: File size 1436160 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Documents RF V23665.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Documents RF V23665.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Documents RF V23665.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Documents RF V23665.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Documents RF V23665.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Documents RF V23665.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: Documents RF V23665.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 00000002.00000002.1184186938.00000000026A5000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.1184186938.00000000026A5000.00000004.00000040.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmp
Source: Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.1184186938.00000000026A5000.00000004.00000040.sdmp, wpasv.exe, wpasv.exe.2.dr
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmp
Source: Binary string: indows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000002.00000002.1184186938.00000000026A5000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: Documents RF V23665.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Documents RF V23665.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Documents RF V23665.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Documents RF V23665.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Documents RF V23665.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 2.2.MSBuild.exe.800000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.MSBuild.exe.800000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_024B74C0 push ebp; ret 2_2_024B74C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_024B74B4 push ecx; ret 2_2_024B74B5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_024BDEC4 push esp; retf 2_2_024BDEC5
.NET source code contains many randomly named methodsShow sources
Source: 2.2.MSBuild.exe.800000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.2.MSBuild.exe.800000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile created: C:\Program Files (x86)\WPA Service\wpasv.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Documents RF V23665.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents RF V23665.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Sleep loop found (likely to delay execution)Show sources
Source: C:\Users\user\Desktop\Documents RF V23665.exeThread sleep count: Count: 6101 delay: -10Jump to behavior
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\Documents RF V23665.exeWindow / User API: threadDelayed 6101Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 437Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 1015Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 610Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 560Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Documents RF V23665.exe TID: 5372Thread sleep count: 298 > 30Jump to behavior
Source: C:\Users\user\Desktop\Documents RF V23665.exe TID: 5372Thread sleep count: 6101 > 30Jump to behavior
Source: C:\Users\user\Desktop\Documents RF V23665.exe TID: 5372Thread sleep time: -61010s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5640Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exe TID: 6024Thread sleep time: -922337203685477s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\Documents RF V23665.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Documents RF V23665.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Documents RF V23665.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Documents RF V23665.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: MSBuild.exe, 00000002.00000002.1187208623.0000000002D97000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: MSBuild.exe, 00000002.00000002.1183433545.00000000010A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000002.00000002.1183433545.00000000010A0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: MSBuild.exe, 00000002.00000002.1183433545.00000000010A0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: Documents RF V23665.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: MSBuild.exe, 00000002.00000002.1183433545.00000000010A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: MSBuild.exe, 00000002.00000002.1187208623.0000000002D97000.00000004.00000001.sdmpBinary or memory string: Program Managerild`1
Source: MSBuild.exe, 00000002.00000003.901787549.0000000000AB3000.00000004.00000001.sdmpBinary or memory string: Program Manager(x86)\WPA Service\wpasv.exe

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\WPA Service\wpasv.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1187788937.0000000003A43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5560, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: MSBuild.exe, 00000002.00000002.1189388072.0000000003D78000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: MSBuild.exe, 00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1187788937.0000000003A43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5560, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
09:17:36AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WPA Service C:\Program Files (x86)\WPA Service\wpasv.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Documents RF V23665.exe28%VirustotalBrowse
Documents RF V23665.exe35%ReversingLabsScript-AutoIt.Trojan.Frs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\WPA Service\wpasv.exe0%VirustotalBrowse
C:\Program Files (x86)\WPA Service\wpasv.exe0%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.MSBuild.exe.800000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000002.1181914305.0000000000802000.00000020.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000002.00000002.1185584798.00000000029F0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x12133:$a: NanoCore
    • 0x1218c:$a: NanoCore
    • 0x121c9:$a: NanoCore
    • 0x12242:$a: NanoCore
    • 0x88ebe:$a: NanoCore
    • 0x88ee3:$a: NanoCore
    • 0x88f3c:$a: NanoCore
    • 0x990b3:$a: NanoCore
    • 0x990d9:$a: NanoCore
    • 0x99135:$a: NanoCore
    • 0xa5f93:$a: NanoCore
    • 0xa5fec:$a: NanoCore
    • 0xa601f:$a: NanoCore
    • 0xa624b:$a: NanoCore
    • 0xa62c7:$a: NanoCore
    • 0xa68e0:$a: NanoCore
    • 0xa6a29:$a: NanoCore
    • 0xa6efd:$a: NanoCore
    • 0xa71e4:$a: NanoCore
    • 0xa71fb:$a: NanoCore
    • 0xb00cb:$a: NanoCore
    00000002.00000002.1187788937.0000000003A43000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Process Memory Space: MSBuild.exe PID: 5560Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x2c402:$x1: NanoCore.ClientPluginHost
      • 0x38bdc:$x1: NanoCore.ClientPluginHost
      • 0x5457c:$x1: NanoCore.ClientPluginHost
      • 0x62f37:$x1: NanoCore.ClientPluginHost
      • 0xb83b0:$x1: NanoCore.ClientPluginHost
      • 0xff729:$x1: NanoCore.ClientPluginHost
      • 0x166006:$x1: NanoCore.ClientPluginHost
      • 0x198968:$x1: NanoCore.ClientPluginHost
      • 0x1a3264:$x1: NanoCore.ClientPluginHost
      • 0x1b5ddf:$x1: NanoCore.ClientPluginHost
      • 0x1b8e48:$x1: NanoCore.ClientPluginHost
      • 0x1be1e4:$x1: NanoCore.ClientPluginHost
      • 0x1c1639:$x1: NanoCore.ClientPluginHost
      • 0x1c4407:$x1: NanoCore.ClientPluginHost
      • 0x1d167d:$x1: NanoCore.ClientPluginHost
      • 0x1d883c:$x1: NanoCore.ClientPluginHost
      • 0x1dd67c:$x1: NanoCore.ClientPluginHost
      • 0x1e9e76:$x1: NanoCore.ClientPluginHost
      • 0x2b3fec:$x1: NanoCore.ClientPluginHost
      • 0x2c4e68:$x1: NanoCore.ClientPluginHost
      • 0x2c428:$x2: IClientNetworkHost
      Process Memory Space: MSBuild.exe PID: 5560JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Process Memory Space: MSBuild.exe PID: 5560NanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x2c3c1:$a: NanoCore
        • 0x2c402:$a: NanoCore
        • 0x32da7:$a: NanoCore
        • 0x32dce:$a: NanoCore
        • 0x38b9b:$a: NanoCore
        • 0x38bdc:$a: NanoCore
        • 0x3c031:$a: NanoCore
        • 0x3c058:$a: NanoCore
        • 0x5450b:$a: NanoCore
        • 0x5453b:$a: NanoCore
        • 0x5457c:$a: NanoCore
        • 0x5c297:$a: NanoCore
        • 0x5c2ad:$a: NanoCore
        • 0x5c2d4:$a: NanoCore
        • 0x62eca:$a: NanoCore
        • 0x62efa:$a: NanoCore
        • 0x62f37:$a: NanoCore
        • 0x69769:$a: NanoCore
        • 0x6977f:$a: NanoCore
        • 0x697a2:$a: NanoCore
        • 0xb7eb5:$a: NanoCore

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.MSBuild.exe.800000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        2.2.MSBuild.exe.800000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        2.2.MSBuild.exe.800000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          2.2.MSBuild.exe.800000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 5560, TargetFilename: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          unknowninvoice ftg5454432255566633223.exeGet hashmaliciousBrowse
          • 66.45.232.205
          https://chainlinkx.net/redirect.phpGet hashmaliciousBrowse
          • 172.217.21.194
          sora.1.sh4Get hashmaliciousBrowse
          • 238.214.44.47
          http://donhang.loza.vn/vendor/phpunit/phpunit/jamees/Luncur.phpGet hashmaliciousBrowse
          • 202.182.102.172
          Invoice-Payment-Slip_pdf.jsGet hashmaliciousBrowse
          • 104.23.99.190
          http://memetagroup.com/auma.htmlGet hashmaliciousBrowse
          • 192.185.159.37
          microsoft office 2007 service pack 2.exeGet hashmaliciousBrowse
          • 91.195.240.136
          https://blogarchive.morty.info/ct.ashx?id=6465a916-c80c-48b6-88b8-3cb29db46131&url=https%3A%2F%2Fnfu7872uhed.blob.core.windows.net%2Fjhr37823uhjew%2FAbV.html%23dGltQG1haW5mcmVpZ2h0LmNvbQ==Get hashmaliciousBrowse
          • 104.31.81.17
          https://dzshopland.com/Get hashmaliciousBrowse
          • 66.171.248.178
          owari.1.sh4Get hashmaliciousBrowse
          • 70.37.80.37
          https://firebasestorage.googleapis.com/v0/b/soav-954b2.appspot.com/o/index.html?alt=media&token=86e7f3e3-fa2c-40fe-a160-fb6e0ac6a956#roberto@claremedica.comGet hashmaliciousBrowse
          • 192.229.221.185
          https://printlogz.com/ee/index.phpGet hashmaliciousBrowse
          • 46.165.204.121
          setup_1022.exeGet hashmaliciousBrowse
          • 62.210.30.113
          lilin.mipsGet hashmaliciousBrowse
          • 8.184.2.33
          https://v.ht/5DsSGet hashmaliciousBrowse
          • 216.58.206.2
          Qm.1993.xlsGet hashmaliciousBrowse
          • 151.101.0.133
          https://blamecuertaier.club/updc/benlay/DOC/srq75t9vvxw30mr0bhgbtgmp.php?L4181815890148528bf61f39a2d2b8175f038fc8fdb08bdc8bf61f39a2d2b8175f038fc8fdb08bdc8bf61f39a2d2b8175f038fc8fdb08bdc8bf61f39a2d2b8175f038fc8fdb08bdc8bf61f39a2d2b8175f038fc8fdb08bdc&email=&error=Get hashmaliciousBrowse
          • 162.241.101.83
          mod#U00e8le_note_de_confidentialit#U00e9_rapport_de_stage.jsGet hashmaliciousBrowse
          • 94.152.128.213
          mod#U00e8le_note_de_confidentialit#U00e9_rapport_de_stage.jsGet hashmaliciousBrowse
          • 94.152.128.213
          h2.exeGet hashmaliciousBrowse
          • 185.62.56.131

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          C:\Program Files (x86)\WPA Service\wpasv.exe78547744787.jsGet hashmaliciousBrowse
            58669333.jsGet hashmaliciousBrowse
              58669333.jsGet hashmaliciousBrowse
                78547744787.jsGet hashmaliciousBrowse
                  78547744787.jsGet hashmaliciousBrowse
                    order.exeGet hashmaliciousBrowse
                      order pdf.exeGet hashmaliciousBrowse
                        14invoice.exeGet hashmaliciousBrowse

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.