Loading ...

Play interactive tourEdit tour

Analysis Report CV_Job Request___.exe

Overview

General Information

Sample Name:CV_Job Request___.exe
Analysis ID:280701
MD5:ae432213626640771634698367f342af
SHA1:01ee195e55931761600881d7a5694f9564c6df33
SHA256:86c1f1b4e67bcece57ab2f98a224a3ab4d46e9bdca3abbd64f618bb5e00ac69c

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected Nanocore RAT
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • CV_Job Request___.exe (PID: 4884 cmdline: 'C:\Users\user\Desktop\CV_Job Request___.exe' MD5: AE432213626640771634698367F342AF)
    • File.exe (PID: 3992 cmdline: 'C:\Users\user\AppData\Local\Temp\File.exe' MD5: 3925E06D0D992A6228FA1DC7143B082C)
      • schtasks.exe (PID: 6280 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hpkIdrg' /XML 'C:\Users\user\AppData\Local\Temp\tmpDEC4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • File.exe (PID: 6404 cmdline: {path} MD5: 3925E06D0D992A6228FA1DC7143B082C)
        • schtasks.exe (PID: 6528 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF6EF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6668 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFB46.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • svhost.exe (PID: 2664 cmdline: C:\Users\user\AppData\Local\Temp\svhost.exe MD5: B3A917344F5610BEEC562556F11300FA)
      • iexplore.exe (PID: 4264 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 4428 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4264 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6272 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4264 CREDAT:82946 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • cmd.exe (PID: 6448 cmdline: 'C:\Windows\System32\cmd.exe' /c copy 'C:/Users/user/Desktop/CV_Job Request___.exe' '%appdata%\FolderN\name.exe' /Y MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6520 cmdline: 'C:\Windows\System32\cmd.exe' /c reg add 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /v Load /t REG_SZ /d '%appdata%\FolderN\name.exe.lnk' /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6612 cmdline: reg add 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /v Load /t REG_SZ /d 'C:\Users\user\AppData\Roaming\FolderN\name.exe.lnk' /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • cmd.exe (PID: 3832 cmdline: 'C:\Windows\System32\cmd.exe' /c echo [zoneTransfer]ZoneID = 2 > %appdata%\FolderN\name.exe:Zone.Identifier MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6472 cmdline: 'C:\Windows\System32\cmd.exe' /c ren '%appdata%\FolderN\name.exe.jpg' name.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 804 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\FolderN\name.exe.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5492 cmdline: timeout /t 300 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • File.exe (PID: 6848 cmdline: C:\Users\user\AppData\Local\Temp\File.exe 0 MD5: 3925E06D0D992A6228FA1DC7143B082C)
    • File.exe (PID: 3564 cmdline: {path} MD5: 3925E06D0D992A6228FA1DC7143B082C)
  • dhcpmon.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 3925E06D0D992A6228FA1DC7143B082C)
    • dhcpmon.exe (PID: 5220 cmdline: {path} MD5: 3925E06D0D992A6228FA1DC7143B082C)
  • dhcpmon.exe (PID: 2636 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 3925E06D0D992A6228FA1DC7143B082C)