Loading ...

Play interactive tourEdit tour

Analysis Report 43GgS3qDjr.exe

Overview

General Information

Sample Name:43GgS3qDjr.exe
Analysis ID:284069
MD5:8610b89fa9f47edcad05cf37e9305e42
SHA1:b42bd3b08db4538f725dd0877ee24776983f6377
SHA256:6652aff02e1c302fcc5905dd04ceca689e6343db3498b12c20f6dcd15ab93edf

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 43GgS3qDjr.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\43GgS3qDjr.exe' MD5: 8610B89FA9F47EDCAD05CF37E9305E42)
    • schtasks.exe (PID: 6632 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aurfIEGdFJRH' /XML 'C:\Users\user\AppData\Local\Temp\tmpAFA1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6676 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000004.00000002.523567869.0000000004F00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000004.00000002.523567869.0000000004F00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 18 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.RegSvcs.exe.4f00000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    4.2.RegSvcs.exe.4f00000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.5380000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    4.2.RegSvcs.exe.5380000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.5380000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aurfIEGdFJRH' /XML 'C:\Users\user\AppData\Local\Temp\tmpAFA1.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aurfIEGdFJRH' /XML 'C:\Users\user\AppData\Local\Temp\tmpAFA1.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\43GgS3qDjr.exe' , ParentImage: C:\Users\user\Desktop\43GgS3qDjr.exe, ParentProcessId: 6404, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aurfIEGdFJRH' /XML 'C:\Users\user\AppData\Local\Temp\tmpAFA1.tmp', ProcessId: 6632

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\aurfIEGdFJRH.exeVirustotal: Detection: 33%Perma Link
      Source: C:\Users\user\AppData\Roaming\aurfIEGdFJRH.exeReversingLabs: Detection: 29%
      Multi AV Scanner detection for submitted fileShow sources
      Source: 43GgS3qDjr.exeVirustotal: Detection: 33%Perma Link
      Source: 43GgS3qDjr.exeReversingLabs: Detection: 29%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.522761474.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.523991841.0000000005380000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.267852849.0000000003968000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.268246217.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 43GgS3qDjr.exe PID: 6404, type: MEMORY
      Source: Yara matchFile source: 4.2.RegSvcs.exe.5380000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.5380000.4.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\aurfIEGdFJRH.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: 43GgS3qDjr.exeJoe Sandbox ML: detected
      Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: global trafficTCP traffic: 192.168.2.7:49725 -> 85.203.44.214:3990
      Source: unknownDNS traffic detected: queries for: uhie.hopto.org
      Source: 43GgS3qDjr.exe, 00000000.00000002.269335923.0000000004F20000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
      Source: RegSvcs.exe, 00000004.00000002.522761474.0000000003B97000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.522761474.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.523991841.0000000005380000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.267852849.0000000003968000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.268246217.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 43GgS3qDjr.exe PID: 6404, type: MEMORY
      Source: Yara matchFile source: 4.2.RegSvcs.exe.5380000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.5380000.4.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.523567869.0000000004F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.522761474.0000000003B97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.523991841.0000000005380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.267852849.0000000003968000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.267852849.0000000003968000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.268246217.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.268246217.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 43GgS3qDjr.exe PID: 6404, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 43GgS3qDjr.exe PID: 6404, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.RegSvcs.exe.4f00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.5380000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.RegSvcs.exe.5380000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04F115D2 NtQuerySystemInformation,0_2_04F115D2
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04F11597 NtQuerySystemInformation,0_2_04F11597
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_04D7116A NtQuerySystemInformation,4_2_04D7116A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_04D7112F NtQuerySystemInformation,4_2_04D7112F
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_000794700_2_00079470
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_0007933A0_2_0007933A
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1CCA00_2_04A1CCA0
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A140800_2_04A14080
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A14C8A0_2_04A14C8A
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A148200_2_04A14820
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A160180_2_04A16018
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A151180_2_04A15118
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1EEC00_2_04A1EEC0
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A11E700_2_04A11E70
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A123800_2_04A12380
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1C7280_2_04A1C728
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1C0B80_2_04A1C0B8
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A178280_2_04A17828
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A134300_2_04A13430
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1800A0_2_04A1800A
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A180180_2_04A18018
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1781A0_2_04A1781A
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A148600_2_04A14860
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A18DB10_2_04A18DB1
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A16DB80_2_04A16DB8
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1B5900_2_04A1B590
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A16DC80_2_04A16DC8
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1DEC00_2_04A1DEC0
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A17AC90_2_04A17AC9
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A182380_2_04A18238
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A17E080_2_04A17E08
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A17E180_2_04A17E18
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A182480_2_04A18248
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A183BA0_2_04A183BA
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A13FD90_2_04A13FD9
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1BB180_2_04A1BB18
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A15F180_2_04A15F18
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_070400700_2_07040070
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_070400060_2_07040006
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_027F2FA84_2_027F2FA8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_027F23A04_2_027F23A0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_027F84684_2_027F8468
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_027F90684_2_027F9068
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_027FAD384_2_027FAD38
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_027F306F4_2_027F306F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_027F912F4_2_027F912F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_027F99104_2_027F9910
      Source: 43GgS3qDjr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: aurfIEGdFJRH.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 43GgS3qDjr.exeBinary or memory string: OriginalFilename vs 43GgS3qDjr.exe
      Source: 43GgS3qDjr.exe, 00000000.00000002.269335923.0000000004F20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs 43GgS3qDjr.exe
      Source: 43GgS3qDjr.exe, 00000000.00000000.248861093.0000000000072000.00000002.00020000.sdmpBinary or memory string: OriginalFilename7lL.exe4 vs 43GgS3qDjr.exe
      Source: 43GgS3qDjr.exe, 00000000.00000002.273347372.0000000006D90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 43GgS3qDjr.exe
      Source: 43GgS3qDjr.exe, 00000000.00000002.269368191.0000000004F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 43GgS3qDjr.exe
      Source: 43GgS3qDjr.exe, 00000000.00000002.270456679.0000000005350000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 43GgS3qDjr.exe
      Source: 43GgS3qDjr.exe, 00000000.00000002.270456679.0000000005350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 43GgS3qDjr.exe
      Source: 43GgS3qDjr.exe, 00000000.00000002.270497276.00000000053A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs 43GgS3qDjr.exe
      Source: 43GgS3qDjr.exeBinary or memory string: OriginalFilename7lL.exe4 vs 43GgS3qDjr.exe
      Source: 00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.516479402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.523567869.0000000004F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.523567869.0000000004F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.522761474.0000000003B97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.523991841.0000000005380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.523991841.0000000005380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.267852849.0000000003968000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.267852849.0000000003968000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.268246217.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.268246217.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 43GgS3qDjr.exe PID: 6404, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 43GgS3qDjr.exe PID: 6404, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.RegSvcs.exe.4f00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.4f00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.5380000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.5380000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.RegSvcs.exe.5380000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.5380000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 43GgS3qDjr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: aurfIEGdFJRH.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@15/1
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04F11116 AdjustTokenPrivileges,0_2_04F11116
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04F110DF AdjustTokenPrivileges,0_2_04F110DF
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_04D70F2A AdjustTokenPrivileges,4_2_04D70F2A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_04D70EF3 AdjustTokenPrivileges,4_2_04D70EF3
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeFile created: C:\Users\user\AppData\Roaming\aurfIEGdFJRH.exeJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeMutant created: \Sessions\1\BaseNamedObjects\qBhFPRlNZQqFltTOueJ
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{eac592d5-ca98-4726-ba89-b7a131d06d23}
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAFA1.tmpJump to behavior
      Source: 43GgS3qDjr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: 43GgS3qDjr.exeVirustotal: Detection: 33%
      Source: 43GgS3qDjr.exeReversingLabs: Detection: 29%
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeFile read: C:\Users\user\Desktop\43GgS3qDjr.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\43GgS3qDjr.exe 'C:\Users\user\Desktop\43GgS3qDjr.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aurfIEGdFJRH' /XML 'C:\Users\user\AppData\Local\Temp\tmpAFA1.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aurfIEGdFJRH' /XML 'C:\Users\user\AppData\Local\Temp\tmpAFA1.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: 43GgS3qDjr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: 43GgS3qDjr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\RegSvcs.pdbl source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdbs source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: 43GgS3qDjr.exe, 00000000.00000002.269368191.0000000004F30000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.523675385.0000000004F40000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\System.pdb source: RegSvcs.exe, 00000004.00000002.519569473.0000000002815000.00000004.00000040.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 43GgS3qDjr.exe, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: aurfIEGdFJRH.exe.0.dr, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.43GgS3qDjr.exe.70000.0.unpack, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.43GgS3qDjr.exe.70000.0.unpack, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A1288F pushad ; ret 0_2_04A12890
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeCode function: 0_2_04A156AD push esp; ret 0_2_04A156B2
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85652057828
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85652057828
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeFile created: C:\Users\user\AppData\Roaming\aurfIEGdFJRH.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aurfIEGdFJRH' /XML 'C:\Users\user\AppData\Local\Temp\tmpAFA1.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: 43GgS3qDjr.exe PID: 6404, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 43GgS3qDjr.exe, 00000000.00000002.270954605.0000000005447000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: 43GgS3qDjr.exe, 00000000.00000002.270954605.0000000005447000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 240000Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 239844Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 239750Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 239656Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 239547Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 239453Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 239297Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 239203Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 239094Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 238953Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 238844Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 238750Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 238641Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 238500Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 238391Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 238297Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 238203Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 237047Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236953Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236797Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236703Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236594Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236500Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236344Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236250Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236156Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 236000Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 235703Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 235547Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 235437Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 235297Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 235203Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 235094Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234953Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234844Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234750Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234641Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234547Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234453Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234297Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234203Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234094Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 234000Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 233906Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 233734Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 233641Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 233500Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 233391Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 233297Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 233094Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 232953Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 848Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 549Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 842Jump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -240000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6408Thread sleep time: -33000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -239844s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -239750s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -239656s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -239547s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -239453s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -239297s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -239203s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -239094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\43GgS3qDjr.exe TID: 6444Thread sleep time: -238953s >= -30000s