Loading ...

Play interactive tourEdit tour

Analysis Report aXfA69gLbsTjxGu.exe

Overview

General Information

Sample Name:aXfA69gLbsTjxGu.exe
Analysis ID:253929
MD5:e48ae3c3e58006ec47ac08b4213583d2
SHA1:9cc9976eff7b8bdafb7990d14de72a481703ceb1
SHA256:55357cf739afcec5d05df3b2b63b50ac2f3fc09f5d6abd2065656a62c90145af

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • aXfA69gLbsTjxGu.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\aXfA69gLbsTjxGu.exe' MD5: E48AE3C3E58006EC47AC08B4213583D2)
    • schtasks.exe (PID: 7160 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCED.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6184 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • dhcpmon.exe (PID: 1516 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
aXfA69gLbsTjxGu.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3b791:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\&startupname&.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3b791:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xa83b5:$x1: NanoCore.ClientPluginHost
  • 0xdabd5:$x1: NanoCore.ClientPluginHost
  • 0xa83f2:$x2: IClientNetworkHost
  • 0xdac12:$x2: IClientNetworkHost
  • 0xabf25:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xde745:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xa811d:$a: NanoCore
    • 0xa812d:$a: NanoCore
    • 0xa8361:$a: NanoCore
    • 0xa8375:$a: NanoCore
    • 0xa83b5:$a: NanoCore
    • 0xda93d:$a: NanoCore
    • 0xda94d:$a: NanoCore
    • 0xdab81:$a: NanoCore
    • 0xdab95:$a: NanoCore
    • 0xdabd5:$a: NanoCore
    • 0xa817c:$b: ClientPlugin
    • 0xa837e:$b: ClientPlugin
    • 0xa83be:$b: ClientPlugin
    • 0xda99c:$b: ClientPlugin
    • 0xdab9e:$b: ClientPlugin
    • 0xdabde:$b: ClientPlugin
    • 0xa82a3:$c: ProjectData
    • 0xdaac3:$c: ProjectData
    • 0xa8caa:$d: DESCrypto
    • 0xdb4ca:$d: DESCrypto
    • 0xb0676:$e: KeepAlive
    00000000.00000000.1278877948.00000000007C2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3b591:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    00000000.00000002.1301085961.00000000007C2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3b591:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 2 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.aXfA69gLbsTjxGu.exe.7c0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3b791:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.0.aXfA69gLbsTjxGu.exe.7c0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3b791:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6184, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCED.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCED.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\aXfA69gLbsTjxGu.exe' , ParentImage: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exe, ParentProcessId: 7080, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCED.tmp', ProcessId: 7160

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmp, type: MEMORY
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\&startupname&.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: aXfA69gLbsTjxGu.exeJoe Sandbox ML: detected

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49730 -> 79.134.225.71:1985
    Source: global trafficTCP traffic: 192.168.2.5:49730 -> 79.134.225.71:1985
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_0117AB1E NtQuerySystemInformation,0_2_0117AB1E
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_0117A9AE NtQueryInformationProcess,0_2_0117A9AE
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_0117A98C NtQueryInformationProcess,0_2_0117A98C
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_0117AAE3 NtQuerySystemInformation,0_2_0117AAE3
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B4A8800_2_02B4A880
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B41CE10_2_02B41CE1
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B44EC80_2_02B44EC8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B4C8300_2_02B4C830
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B48C600_2_02B48C60
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B413B90_2_02B413B9
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B42BA00_2_02B42BA0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B487E00_2_02B487E0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B47DD00_2_02B47DD0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B40BD80_2_02B40BD8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B4B9C80_2_02B4B9C8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B4AF370_2_02B4AF37
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B46B300_2_02B46B30
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B464800_2_02B46480
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B400F00_2_02B400F0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B44AF00_2_02B44AF0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B456FF0_2_02B456FF
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B4A8070_2_02B4A807
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B464720_2_02B46472
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B4B0600_2_02B4B060
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B45C400_2_02B45C40
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B40BB90_2_02B40BB9
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B449A00_2_02B449A0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B449900_2_02B44990
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B42B850_2_02B42B85
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B42FF80_2_02B42FF8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B445F80_2_02B445F8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B481D80_2_02B481D8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B46B200_2_02B46B20
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B4E9280_2_02B4E928
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B457180_2_02B45718
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B44B000_2_02B44B00
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B439700_2_02B43970
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B49D730_2_02B49D73
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B451780_2_02B45178
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B439600_2_02B43960
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B4516A0_2_02B4516A
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B44D500_2_02B44D50
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B44D420_2_02B44D42
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_02B42B430_2_02B42B43
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A439C00_2_05A439C0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A479300_2_05A47930
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A43D680_2_05A43D68
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A464A80_2_05A464A8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A473B80_2_05A473B8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A493750_2_05A49375
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A476D80_2_05A476D8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A426180_2_05A42618
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A439B00_2_05A439B0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A451B90_2_05A451B9
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A479200_2_05A47920
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A43D580_2_05A43D58
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A428A00_2_05A428A0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A494800_2_05A49480
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A464970_2_05A46497
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A430C30_2_05A430C3
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A454DC0_2_05A454DC
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A400070_2_05A40007
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A400700_2_05A40070
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A454580_2_05A45458
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A46B810_2_05A46B81
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A443E00_2_05A443E0
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A42F260_2_05A42F26
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A46B530_2_05A46B53
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A45AA70_2_05A45AA7
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A45AB80_2_05A45AB8
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A42E980_2_05A42E98
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A456EC0_2_05A456EC
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A426080_2_05A42608
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A46A780_2_05A46A78
    Source: aXfA69gLbsTjxGu.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: &startupname&.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: aXfA69gLbsTjxGu.exeBinary or memory string: OriginalFilename vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000000.1278877948.00000000007C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKhQxP.exe. vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1306610737.00000000052D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1307800725.00000000061A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1307800725.00000000061A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1307747046.0000000006150000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1307150117.0000000005760000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exeBinary or memory string: OriginalFilenameKhQxP.exe. vs aXfA69gLbsTjxGu.exe
    Source: aXfA69gLbsTjxGu.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.1305137708.0000000003F78000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000000.1278877948.00000000007C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.1301085961.00000000007C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: aXfA69gLbsTjxGu.exe PID: 7080, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: C:\Users\user\AppData\Local\Temp\&startupname&.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.2.aXfA69gLbsTjxGu.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.0.aXfA69gLbsTjxGu.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: aXfA69gLbsTjxGu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302379559.0000000002EF1000.00000004.00000001.sdmpBinary or memory string: Databricks.sln
    Source: classification engineClassification label: mal100.troj.evad.winEXE@8/11@0/1
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_0117A65E AdjustTokenPrivileges,0_2_0117A65E
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_0117A627 AdjustTokenPrivileges,0_2_0117A627
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aXfA69gLbsTjxGu.exe.logJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{b906c32a-7c7b-408f-aea8-c2cf051540c7}
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to behavior
    Source: aXfA69gLbsTjxGu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile read: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exe 'C:\Users\user\Desktop\aXfA69gLbsTjxGu.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCED.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCED.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
    Source: aXfA69gLbsTjxGu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: aXfA69gLbsTjxGu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 00000007.00000002.1338966185.0000000002A10000.00000002.00000001.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
    Source: Binary string: mscorrc.pdb source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1306610737.00000000052D0000.00000002.00000001.sdmp
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_007C7BC6 push ebp; retf 0_2_007C7BF1
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_007C3FBB push ebp; retf 0_2_007C3FBC
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_007C6EA2 push cs; iretd 0_2_007C6EB3
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_05A408DE push esp; ret 0_2_05A408DF
    Source: initial sampleStatic PE information: section name: .text entropy: 7.52649056389
    Source: initial sampleStatic PE information: section name: .text entropy: 7.52649056389
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCED.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM_3Show sources
    Source: Yara matchFile source: Process Memory Space: aXfA69gLbsTjxGu.exe PID: 7080, type: MEMORY
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 472Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 1176Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 664Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 608Jump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exe TID: 7084Thread sleep time: -38000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exe TID: 7100Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5648Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: aXfA69gLbsTjxGu.exe, 00000000.00000002.1302402567.0000000002EFC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging:

    barindex
    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeCode function: 0_2_0117A172 CheckRemoteDebuggerPresent,0_2_0117A172
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCED.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\aXfA69gLbsTjxGu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: RegSvcs.exe, 00000003.00000003.1307618299.0000000005F5E000.00000004.00000001.sdmpBinary or memory string: Program Manager]
    Source: RegSvcs.exe, 00000003.00000003.1368217339.0000000005F5D000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    bar