Loading ...

Play interactive tourEdit tour

Analysis Report Acknowledgment NEW ORDER.exe

Overview

General Information

Sample Name:Acknowledgment NEW ORDER.exe
Analysis ID:282418
MD5:c8e4f84b78ebd0930e7902c87e61bcf1
SHA1:5b30e2296d80fb4d53bd63e255952e30ad18c31d
SHA256:d406a7a9f53d855c09c085482979c935b2668db373e5809b7e48dedfb1206a9f

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Acknowledgment NEW ORDER.exe (PID: 6644 cmdline: 'C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe' MD5: C8E4F84B78EBD0930E7902C87E61BCF1)
    • schtasks.exe (PID: 6708 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KXtjcSAHzIh' /XML 'C:\Users\user\AppData\Local\Temp\tmp3ABD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.11"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000003.00000002.477022551.0000000003591000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 18 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.Acknowledgment NEW ORDER.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        3.2.Acknowledgment NEW ORDER.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        3.2.Acknowledgment NEW ORDER.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          3.2.Acknowledgment NEW ORDER.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q
          3.2.Acknowledgment NEW ORDER.exe.5a50000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe, ProcessId: 6756, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KXtjcSAHzIh' /XML 'C:\Users\user\AppData\Local\Temp\tmp3ABD.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KXtjcSAHzIh' /XML 'C:\Users\user\AppData\Local\Temp\tmp3ABD.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe' , ParentImage: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe, ParentProcessId: 6644, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KXtjcSAHzIh' /XML 'C:\Users\user\AppData\Local\Temp\tmp3ABD.tmp', ProcessId: 6708

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: Acknowledgment NEW ORDER.exe.6756.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.11"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\KXtjcSAHzIh.exeVirustotal: Detection: 26%Perma Link
          Source: C:\Users\user\AppData\Roaming\KXtjcSAHzIh.exeReversingLabs: Detection: 29%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Acknowledgment NEW ORDER.exeVirustotal: Detection: 26%Perma Link
          Source: Acknowledgment NEW ORDER.exeReversingLabs: Detection: 31%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.477022551.0000000003591000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.482126188.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.480653988.0000000004599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6756, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORY
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.raw.unpack, type: UNPACKEDPE
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: global trafficTCP traffic: 192.168.2.4:49717 -> 79.134.225.11:1010
          Source: unknownDNS traffic detected: queries for: evapimp.myq-see.com
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.480653988.0000000004599000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.477022551.0000000003591000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.482126188.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.480653988.0000000004599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6756, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORY
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.482126188.0000000005DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000003.00000002.481979662.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.480653988.0000000004599000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6756, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6756, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.Acknowledgment NEW ORDER.exe.5a50000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Acknowledgment NEW ORDER.exe
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D2D450_2_003D2D45
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D36BA0_2_003D36BA
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D46B60_2_003D46B6
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D9F600_2_003D9F60
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_0278B1840_2_0278B184
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_0278C4280_2_0278C428
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D21B80_2_003D21B8
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F92D453_2_00F92D45
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F936BA3_2_00F936BA
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F946B63_2_00F946B6
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F99F603_2_00F99F60
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_033BE4713_2_033BE471
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_033BE4803_2_033BE480
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_033BBBD43_2_033BBBD4
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_035797883_2_03579788
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_0357F5F83_2_0357F5F8
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_0357A6103_2_0357A610
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F921B83_2_00F921B8
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename2PCe.exeH vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.220690671.0000000005980000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.221499299.0000000006180000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.221836536.0000000006270000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.221836536.0000000006270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.215286663.0000000002982000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBillie.dll< vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.482366464.0000000006900000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.477022551.0000000003591000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.482594137.0000000007420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.482236343.00000000065D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.472820219.0000000001016000.00000002.00020000.sdmpBinary or memory string: OriginalFilename2PCe.exeH vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.480653988.0000000004599000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Acknowledgment NEW ORDER.exe
          Source: Acknowledgment NEW ORDER.exeBinary or memory string: OriginalFilename2PCe.exeH vs Acknowledgment NEW ORDER.exe
          Source: 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000003.00000002.482126188.0000000005DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000003.00000002.482126188.0000000005DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.481979662.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000003.00000002.481979662.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000003.00000002.480653988.0000000004599000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6756, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6756, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 3.2.Acknowledgment NEW ORDER.exe.5a50000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.Acknowledgment NEW ORDER.exe.5a50000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Acknowledgment NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: KXtjcSAHzIh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@23/1
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeFile created: C:\Users\user\AppData\Roaming\KXtjcSAHzIh.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7e9d8301-bfb3-41d8-8ccb-7adef88d322a}
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3ABD.tmpJump to behavior
          Source: Acknowledgment NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Acknowledgment NEW ORDER.exeVirustotal: Detection: 26%
          Source: Acknowledgment NEW ORDER.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeFile read: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe 'C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KXtjcSAHzIh' /XML 'C:\Users\user\AppData\Local\Temp\tmp3ABD.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KXtjcSAHzIh' /XML 'C:\Users\user\AppData\Local\Temp\tmp3ABD.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess created: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Acknowledgment NEW ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Acknowledgment NEW ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003E0027 push 28D1E603h; retf 0000h0_2_003E00A3
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003E0053 push 28D1E603h; retf 0000h0_2_003E00A3
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D64E7 push es; retn 0000h0_2_003D64E4
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D74C7 push 28D1E60Eh; retf 0000h0_2_003D74D7
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D622C push es; retn 0000h0_2_003D64E4
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D7EA6 push ds; iretd 0_2_003D8016
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F964E7 push es; retn 0000h3_2_00F964E4
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F974C7 push 28D1E60Eh; retf 0000h3_2_00F974D7
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00FA0053 push 28D1E603h; retf 0000h3_2_00FA00A3
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00FA0027 push 28D1E603h; retf 0000h3_2_00FA00A3
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F97EA6 push ds; iretd 3_2_00F98016
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_00F9622C push es; retn 0000h3_2_00F964E4
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 3_2_035769F8 pushad ; retf 3_2_035769F9
          Source: initial sampleStatic PE information: section name: .text entropy: 7.64596050964
          Source: initial sampleStatic PE information: section name: .text entropy: 7.64596050964
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeFile created: C:\Users\user\AppData\Roaming\KXtjcSAHzIh.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KXtjcSAHzIh' /XML 'C:\Users\user\AppData\Local\Temp\tmp3ABD.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeFile opened: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.215299334.0000000002999000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeCode function: 0_2_003D5C4E sldt word ptr [eax]0_2_003D5C4E
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeWindow / User API: threadDelayed 2113Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeWindow / User API: threadDelayed 7131Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeWindow / User API: foregroundWindowGot 992Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe TID: 6648Thread sleep time: -57071s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe TID: 6664Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe TID: 6800Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.482594137.0000000007420000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.482594137.0000000007420000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.482594137.0000000007420000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.214903235.00000000027D1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.482594137.0000000007420000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeMemory written: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KXtjcSAHzIh' /XML 'C:\Users\user\AppData\Local\Temp\tmp3ABD.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeProcess created: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeJump to behavior
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.480431310.0000000003B5B000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.475639547.0000000001F10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.475639547.0000000001F10000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.477022551.0000000003591000.00000004.00000001.sdmpBinary or memory string: Program Manager|$
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.475639547.0000000001F10000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Acknowledgment NEW ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.477022551.0000000003591000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.482126188.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.480653988.0000000004599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6756, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORY
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: Acknowledgment NEW ORDER.exe, 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: Acknowledgment NEW ORDER.exe, 00000003.00000002.477022551.0000000003591000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000003.00000002.472324948.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.477022551.0000000003591000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.482126188.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216698074.00000000037FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.480653988.0000000004599000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6756, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Acknowledgment NEW ORDER.exe PID: 6644, type: MEMORY
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Acknowledgment NEW ORDER.exe.5dc0000.4.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Security Software Discovery211Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impa