Loading ...

Play interactive tourEdit tour

Analysis Report PURCHASE ORDER__EXPORT0012625_ DOC_pdf.exe

Overview

General Information

Sample Name:PURCHASE ORDER__EXPORT0012625_ DOC_pdf.exe
Analysis ID:280501
MD5:323a8b14a53a392944625f44e902c281
SHA1:30af230456fe2ef8178fad6ab8b933aa7d7fafb8
SHA256:aef79065bfa5ed29e5026b3b0f2b4398009e8f54e31c26719df095e3160c87f5

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Keylogger Generic
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • PURCHASE ORDER__EXPORT0012625_ DOC_pdf.exe (PID: 5088 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER__EXPORT0012625_ DOC_pdf.exe' MD5: 323A8B14A53A392944625F44E902C281)
    • notepad.exe (PID: 4784 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • file.exe (PID: 4728 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
        • file.exe (PID: 240 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
          • schtasks.exe (PID: 4536 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp78F3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 484 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C11.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • file.exe (PID: 4608 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' 2 240 3765171 MD5: 323A8B14A53A392944625F44E902C281)
  • file.exe (PID: 6708 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe 0 MD5: 323A8B14A53A392944625F44E902C281)
    • file.exe (PID: 1664 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe 0 MD5: 323A8B14A53A392944625F44E902C281)
    • file.exe (PID: 1904 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' 2 1664 3770265 MD5: 323A8B14A53A392944625F44E902C281)
      • file.exe (PID: 4168 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
        • file.exe (PID: 6856 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
        • file.exe (PID: 7012 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' 2 6856 3784671 MD5: 323A8B14A53A392944625F44E902C281)
          • file.exe (PID: 6140 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
  • dhcpmon.exe (PID: 1420 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 323A8B14A53A392944625F44E902C281)
    • notepad.exe (PID: 1816 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • file.exe (PID: 1996 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
        • file.exe (PID: 2296 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
        • file.exe (PID: 6724 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' 2 2296 3772687 MD5: 323A8B14A53A392944625F44E902C281)
          • file.exe (PID: 7044 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
            • file.exe (PID: 5908 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
            • file.exe (PID: 4732 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' 2 5908 3787125 MD5: 323A8B14A53A392944625F44E902C281)
    • file.exe (PID: 4688 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
    • file.exe (PID: 3820 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' 2 4688 3799250 MD5: 323A8B14A53A392944625F44E902C281)
  • dhcpmon.exe (PID: 6768 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 323A8B14A53A392944625F44E902C281)
    • notepad.exe (PID: 5032 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • file.exe (PID: 5772 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
        • file.exe (PID: 6608 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
        • file.exe (PID: 6652 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' 2 6608 3782125 MD5: 323A8B14A53A392944625F44E902C281)
          • file.exe (PID: 1420 cmdline: C:\Users\user\AppData\Roaming\appdata\file.exe MD5: 323A8B14A53A392944625F44E902C281)
  • wscript.exe (PID: 7020 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • file.exe (PID: 4724 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' MD5: 323A8B14A53A392944625F44E902C281)
      • file.exe (PID: 6660 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' MD5: 323A8B14A53A392944625F44E902C281)
      • file.exe (PID: 460 cmdline: 'C:\Users\user\AppData\Roaming\appdata\file.exe' 2 6660 3790265 MD5: 323A8B14A53A392944625F44E902C281)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["4.4.4.4:444"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.234858688.0000000002192000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.234858688.0000000002192000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000015.00000002.234858688.0000000002192000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000015.00000001.216047368.000000000044D000.00000040.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xa1e5:$x1: NanoCore.ClientPluginHost
    • 0xa222:$x2: IClientNetworkHost
    • 0xdd55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000015.00000001.216047368.000000000044D000.00000040.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security