Loading ...

Play interactive tourEdit tour

Analysis Report ORDER0001.exe

Overview

General Information

Sample Name:ORDER0001.exe
Analysis ID:254548
MD5:b5b3d64fca9a3604c0a2b0271e9f0735
SHA1:6c811875c11b6b960e79f0c4650b767f15d27572
SHA256:2bc8ab981b57a028207d7c3541c80dd72f2c84e36483c62b547c32d43b28ef28

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ORDER0001.exe (PID: 5824 cmdline: 'C:\Users\user\Desktop\ORDER0001.exe' MD5: B5B3D64FCA9A3604C0A2B0271E9F0735)
    • schtasks.exe (PID: 1040 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpC98D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ORDER0001.exe (PID: 5060 cmdline: {path} MD5: B5B3D64FCA9A3604C0A2B0271E9F0735)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ORDER0001.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x717b3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\&startupname&.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x717b3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000007.00000002.556692883.0000000004847000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000007.00000002.556692883.0000000004847000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x33dd:$a: NanoCore
      • 0x3436:$a: NanoCore
      • 0x3473:$a: NanoCore
      • 0x34ec:$a: NanoCore
      • 0x16b97:$a: NanoCore
      • 0x16bac:$a: NanoCore
      • 0x16be1:$a: NanoCore
      • 0x2f663:$a: NanoCore
      • 0x2f678:$a: NanoCore
      • 0x2f6ad:$a: NanoCore
      • 0x343f:$b: ClientPlugin
      • 0x347c:$b: ClientPlugin
      • 0x3d7a:$b: ClientPlugin
      • 0x3d87:$b: ClientPlugin
      • 0x16953:$b: ClientPlugin
      • 0x1696e:$b: ClientPlugin
      • 0x1699e:$b: ClientPlugin
      • 0x16bb5:$b: ClientPlugin
      • 0x16bea:$b: ClientPlugin
      • 0x2f41f:$b: ClientPlugin
      • 0x2f43a:$b: ClientPlugin
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.ORDER0001.exe.d90000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x717b3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      7.2.ORDER0001.exe.5ec0000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      7.2.ORDER0001.exe.5ec0000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      7.2.ORDER0001.exe.5ec0000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        7.2.ORDER0001.exe.5ec0000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        Click to see the 11 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER0001.exe, ProcessId: 5060, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpC98D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpC98D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER0001.exe' , ParentImage: C:\Users\user\Desktop\ORDER0001.exe, ParentProcessId: 5824, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpC98D.tmp', ProcessId: 1040

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.556692883.0000000004847000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.302515278.0000000004613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.549260315.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER0001.exe PID: 5060, type: MEMORY
        Source: Yara matchFile source: 7.2.ORDER0001.exe.5ec0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.ORDER0001.exe.5ec0000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.ORDER0001.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\&startupname&.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: ORDER0001.exeJoe Sandbox ML: detected

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: dora21.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.6:49707 -> 185.244.30.57:54777
        Source: unknownDNS traffic detected: queries for: elley.awsmppl.com
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: ORDER0001.exe, 00000000.00000003.282356230.0000000005939000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: ORDER0001.exe, 00000000.00000003.282356230.0000000005939000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comper
        Source: ORDER0001.exe, 00000000.00000003.282356230.0000000005939000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: ORDER0001.exe, 00000000.00000003.280779203.0000000005941000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: ORDER0001.exe, 00000000.00000002.304423154.0000000005AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: ORDER0001.exe, 00000000.00000003.281242054.0000000005944000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: ORDER0001.exe, 00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.556692883.0000000004847000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.302515278.0000000004613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.549260315.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER0001.exe PID: 5060, type: MEMORY
        Source: Yara matchFile source: 7.2.ORDER0001.exe.5ec0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.ORDER0001.exe.5ec0000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.ORDER0001.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.556692883.0000000004847000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.302515278.0000000004613000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.302515278.0000000004613000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.549260315.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.549260315.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.557650775.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: ORDER0001.exe PID: 5060, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: ORDER0001.exe PID: 5060, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.ORDER0001.exe.5ec0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.ORDER0001.exe.5ec0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.ORDER0001.exe.5870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.ORDER0001.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.ORDER0001.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: ORDER0001.exe
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_06BB13D2 NtQuerySystemInformation,0_2_06BB13D2
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_06BB1397 NtQuerySystemInformation,0_2_06BB1397
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_03491642 NtQuerySystemInformation,7_2_03491642
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_03491607 NtQuerySystemInformation,7_2_03491607
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_055F18180_2_055F1818
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_055F15D90_2_055F15D9
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_055F180B0_2_055F180B
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_055F13380_2_055F1338
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_055F0A2F0_2_055F0A2F
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_055F2D290_2_055F2D29
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_0576E1500_2_0576E150
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_0576E5480_2_0576E548
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057664310_2_05766431
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057653F80_2_057653F8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057637C80_2_057637C8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057672780_2_05767278
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05765AE80_2_05765AE8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057671900_2_05767190
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057695990_2_05769599
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_0576A05F0_2_0576A05F
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05768CC00_2_05768CC0
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057653480_2_05765348
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_0576CFF80_2_0576CFF8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057693F80_2_057693F8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05768FF80_2_05768FF8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05767FF80_2_05767FF8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05767FE80_2_05767FE8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05768FE80_2_05768FE8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057693E80_2_057693E8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057647C80_2_057647C8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_0576DA700_2_0576DA70
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057696460_2_05769646
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_0576CA480_2_0576CA48
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05768A300_2_05768A30
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05768A210_2_05768A21
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057692100_2_05769210
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057692000_2_05769200
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_057696A30_2_057696A3
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_03282FA87_2_03282FA8
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_032823A07_2_032823A0
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_0328AD387_2_0328AD38
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_032884687_2_03288468
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_032890687_2_03289068
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_032838507_2_03283850
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_0328912F7_2_0328912F
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_0328306F7_2_0328306F
        Source: ORDER0001.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: &startupname&.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: ORDER0001.exe, 00000000.00000002.308892513.0000000008CE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER0001.exe
        Source: ORDER0001.exe, 00000000.00000002.309431815.0000000008D40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs ORDER0001.exe
        Source: ORDER0001.exe, 00000000.00000002.310021463.00000000097F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDER0001.exe
        Source: ORDER0001.exe, 00000000.00000002.310021463.00000000097F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER0001.exe
        Source: ORDER0001.exe, 00000000.00000000.277997251.0000000000E44000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOzZzk.exe< vs ORDER0001.exe
        Source: ORDER0001.exe, 00000000.00000002.309758363.0000000008EF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs ORDER0001.exe
        Source: ORDER0001.exe, 00000000.00000002.309903191.00000000096F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDER0001.exe
        Source: ORDER0001.exe, 00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs ORDER0001.exe
        Source: ORDER0001.exe, 00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs ORDER0001.exe
        Source: ORDER0001.exe, 00000007.00000002.556692883.0000000004847000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs ORDER0001.exe
        Source: ORDER0001.exe, 00000007.00000002.558034514.0000000005A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER0001.exe
        Source: ORDER0001.exe, 00000007.00000002.554559039.000000000166A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs ORDER0001.exe
        Source: ORDER0001.exe, 00000007.00000002.555428926.0000000003480000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ORDER0001.exe
        Source: ORDER0001.exe, 00000007.00000002.550291134.0000000000F94000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOzZzk.exe< vs ORDER0001.exe
        Source: ORDER0001.exe, 00000007.00000002.558715581.0000000006A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ORDER0001.exe
        Source: ORDER0001.exeBinary or memory string: OriginalFilenameOzZzk.exe< vs ORDER0001.exe
        Source: ORDER0001.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.558430577.0000000005EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000007.00000002.556692883.0000000004847000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.299377362.0000000000D92000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000007.00000002.549860327.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000000.00000000.277884767.0000000000D92000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000000.00000002.302515278.0000000004613000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.302515278.0000000004613000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.549260315.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.549260315.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000000.298412346.0000000000EE2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000007.00000002.557650775.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.557650775.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: ORDER0001.exe PID: 5060, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: ORDER0001.exe PID: 5060, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: Process Memory Space: ORDER0001.exe PID: 5060, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: ORDER0001.exe PID: 5824, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: C:\Users\user\AppData\Local\Temp\&startupname&.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 0.0.ORDER0001.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 7.2.ORDER0001.exe.5ec0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.ORDER0001.exe.5ec0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.ORDER0001.exe.5ec0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.ORDER0001.exe.5ec0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.ORDER0001.exe.5870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.ORDER0001.exe.5870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.ORDER0001.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 7.2.ORDER0001.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.ORDER0001.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.ORDER0001.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.ORDER0001.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 7.0.ORDER0001.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: ORDER0001.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 7.2.ORDER0001.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.ORDER0001.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.ORDER0001.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@22/1
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_06BB0ECA AdjustTokenPrivileges,0_2_06BB0ECA
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_06BB0E93 AdjustTokenPrivileges,0_2_06BB0E93
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_03491402 AdjustTokenPrivileges,7_2_03491402
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_034913CB AdjustTokenPrivileges,7_2_034913CB
        Source: C:\Users\user\Desktop\ORDER0001.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ORDER0001.exe.logJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{63cf7343-f4a7-4b16-a020-e7ff946b65f4}
        Source: C:\Users\user\Desktop\ORDER0001.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
        Source: C:\Users\user\Desktop\ORDER0001.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to behavior
        Source: ORDER0001.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ORDER0001.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeFile read: C:\Users\user\Desktop\ORDER0001.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\ORDER0001.exe 'C:\Users\user\Desktop\ORDER0001.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpC98D.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\ORDER0001.exe {path}
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpC98D.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess created: C:\Users\user\Desktop\ORDER0001.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: ORDER0001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\ORDER0001.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: ORDER0001.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: ORDER0001.exe, 00000000.00000002.308892513.0000000008CE0000.00000002.00000001.sdmp, ORDER0001.exe, 00000007.00000002.558034514.0000000005A70000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 7.2.ORDER0001.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.ORDER0001.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_00D97C06 push es; ret 0_2_00D98094
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_00D976E4 push cs; ret 0_2_00D97700
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_05769DB0 push edi; ret 0_2_05769DB1
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_0576ABE8 push FFFFFFE9h; ret 0_2_0576ABEA
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_00EE76E4 push cs; ret 7_2_00EE7700
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_00EE7C06 push es; ret 7_2_00EE8094
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_015874B8 push ebp; ret 7_2_015874B9
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_01589D30 pushad ; retf 7_2_01589D31
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_015874AC push ecx; ret 7_2_015874AD
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_01589D2C push eax; retf 7_2_01589D2D
        Source: initial sampleStatic PE information: section name: .text entropy: 7.84154615325
        Source: initial sampleStatic PE information: section name: .text entropy: 7.84154615325
        Source: 7.2.ORDER0001.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.2.ORDER0001.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\ORDER0001.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpC98D.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\ORDER0001.exeFile opened: C:\Users\user\Desktop\ORDER0001.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: Process Memory Space: ORDER0001.exe PID: 5824, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\ORDER0001.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeWindow / User API: threadDelayed 1025Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeWindow / User API: foregroundWindowGot 845Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exe TID: 3492Thread sleep time: -41000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exe TID: 5660Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exe TID: 1288Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exe TID: 1288Thread sleep count: 110 > 30Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exe TID: 1288Thread sleep count: 1025 > 30Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exe TID: 1336Thread sleep count: 200 > 30Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exe TID: 1288Thread sleep count: 34 > 30Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 7_2_0349112A GetSystemInfo,7_2_0349112A
        Source: ORDER0001.exe, 00000007.00000002.558715581.0000000006A30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: ORDER0001.exe, 00000007.00000002.554754498.00000000016D4000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
        Source: ORDER0001.exe, 00000007.00000002.558715581.0000000006A30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: ORDER0001.exe, 00000007.00000002.558715581.0000000006A30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: ORDER0001.exe, 00000000.00000002.301406145.0000000003561000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: ORDER0001.exe, 00000007.00000002.558715581.0000000006A30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging:

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
        Source: C:\Users\user\Desktop\ORDER0001.exeCode function: 0_2_0305A172 CheckRemoteDebuggerPresent,0_2_0305A172
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\ORDER0001.exeMemory written: C:\Users\user\Desktop\ORDER0001.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpC98D.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\ORDER0001.exeProcess created: C:\Users\user\Desktop\ORDER0001.exe {path}Jump to behavior
        Source: ORDER0001.exe, 00000007.00000002.554754498.00000000016D4000.00000004.00000020.sdmpBinary or memory string: Program Manager
        Source: ORDER0001.exe, 00000007.00000002.555035515.0000000001D40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: ORDER0001.exe, 00000007.00000002.555035515.0000000001D40000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: ORDER0001.exe, 00000007.00000002.556212100.0000000003891000.00000004.00000001.sdmpBinary or memory string: Program Managerp
        Source: ORDER0001.exe, 00000007.00000002.555035515.0000000001D40000.00000002.00000001.sdmpBinary or memory string: Program ManagerNd[\
        Source: ORDER0001.exe, 00000007.00000002.555035515.0000000001D40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: ORDER0001.exe, 00000007.00000002.554754498.00000000016D4000.00000004.00000020.sdmpBinary or memory string: qProgram Manager
        Source: ORDER0001.exe, 00000007.00000002.554754498.00000000016D4000.00000004.00000020.sdmpBinary or memory string: Program Manager
        Source: ORDER0001.exe, 00000007.00000002.556212100.0000000003891000.00000004.00000001.sdmpBinary or memory string: Program Manager fg