Loading ...

Play interactive tourEdit tour

Analysis Report 2020101508898,pdf.exe

Overview

General Information

Sample Name:2020101508898,pdf.exe
Analysis ID:298793
MD5:fbfa4544077df133eeaab26bb82cf10f
SHA1:3c8a398dc2aabc1219e09147087e97465b7f1f5d
SHA256:02a438010c995c0587226655a3e2420af6d60c1f09696753c5ef28c7b72c1f4d
Tags:exegeoNanoCorenVpnRATTHA

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Startup

  • System is w10x64
  • 2020101508898,pdf.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\2020101508898,pdf.exe' MD5: FBFA4544077DF133EEAAB26BB82CF10F)
    • schtasks.exe (PID: 7068 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mxVDRcXKl' /XML 'C:\Users\user\AppData\Local\Temp\tmp1AD6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 6636 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
      • schtasks.exe (PID: 6220 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2630.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 6668 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.165.153.245"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.922634171.0000000005850000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000005.00000002.922634171.0000000005850000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000002.922864991.0000000006530000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000005.00000002.922864991.0000000006530000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 15 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.2.MSBuild.exe.5850000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    5.2.MSBuild.exe.5850000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    5.2.MSBuild.exe.6530000.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    5.2.MSBuild.exe.6530000.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    5.2.MSBuild.exe.6530000.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mxVDRcXKl' /XML 'C:\Users\user\AppData\Local\Temp\tmp1AD6.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mxVDRcXKl' /XML 'C:\Users\user\AppData\Local\Temp\tmp1AD6.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\2020101508898,pdf.exe' , ParentImage: C:\Users\user\Desktop\2020101508898,pdf.exe, ParentProcessId: 7012, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mxVDRcXKl' /XML 'C:\Users\user\AppData\Local\Temp\tmp1AD6.tmp', ProcessId: 7068

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: MSBuild.exe.6636.5.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.165.153.245"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\mxVDRcXKl.exeReversingLabs: Detection: 27%
      Multi AV Scanner detection for submitted fileShow sources
      Source: 2020101508898,pdf.exeReversingLabs: Detection: 27%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000005.00000002.922864991.0000000006530000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.917615639.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.663648395.0000000003979000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.918928447.0000000003241000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.920667605.0000000004289000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6636, type: MEMORY
      Source: Yara matchFile source: 5.2.MSBuild.exe.6530000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.6530000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\mxVDRcXKl.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: 2020101508898,pdf.exeJoe Sandbox ML: detected
      Source: 5.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Networking:

      barindex
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: billionaire.ddns.net
      Source: global trafficTCP traffic: 192.168.2.4:49744 -> 185.165.153.245:3734
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 23.54.113.45
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.153
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
      Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.153
      Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.153
      Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.153
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownDNS traffic detected: queries for: billionaire.ddns.net
      Source: 2020101508898,pdf.exe, 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
      Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
      Source: 2020101508898,pdf.exe, 00000000.00000002.663200304.0000000000DD0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: MSBuild.exe, 00000005.00000002.922864991.0000000006530000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000005.00000002.922864991.0000000006530000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.917615639.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.663648395.0000000003979000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.918928447.0000000003241000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.920667605.0000000004289000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6636, type: MEMORY
      Source: Yara matchFile source: 5.2.MSBuild.exe.6530000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.6530000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000005.00000002.922634171.0000000005850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000005.00000002.922864991.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000005.00000002.917615639.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000005.00000002.917615639.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.663648395.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.663648395.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.920667605.0000000004289000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: MSBuild.exe PID: 6636, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: MSBuild.exe PID: 6636, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.MSBuild.exe.5850000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.6530000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.6530000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_00D4C2340_2_00D4C234
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_00D4E6F00_2_00D4E6F0
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_00D4E7000_2_00D4E700
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_05BBADD00_2_05BBADD0
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_05BB5EE80_2_05BB5EE8
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_05BB5ED80_2_05BB5ED8
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_05BB68F00_2_05BB68F0
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_05BB68E00_2_05BB68E0
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_05BB00060_2_05BB0006
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeCode function: 0_2_05BB00400_2_05BB0040
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0170E4715_2_0170E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0170E4805_2_0170E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0170BBD45_2_0170BBD4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_069F00405_2_069F0040
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_008A21488_2_008A2148
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_008A5A288_2_008A5A28
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_008A4A208_2_008A4A20
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_008A1A408_2_008A1A40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_008A21338_2_008A2133
      Source: 2020101508898,pdf.exe, 00000000.00000002.663200304.0000000000DD0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2020101508898,pdf.exe
      Source: 2020101508898,pdf.exe, 00000000.00000002.666707567.0000000005A80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs 2020101508898,pdf.exe
      Source: 2020101508898,pdf.exe, 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs 2020101508898,pdf.exe
      Source: 2020101508898,pdf.exe, 00000000.00000002.666902750.0000000006280000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 2020101508898,pdf.exe
      Source: 2020101508898,pdf.exe, 00000000.00000002.662720326.00000000005F0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenLMp.exe4 vs 2020101508898,pdf.exe
      Source: 2020101508898,pdf.exe, 00000000.00000002.666805939.0000000005BC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenL vs 2020101508898,pdf.exe
      Source: 2020101508898,pdf.exe, 00000000.00000002.667007198.0000000006380000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 2020101508898,pdf.exe
      Source: 2020101508898,pdf.exe, 00000000.00000002.667007198.0000000006380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2020101508898,pdf.exe
      Source: 2020101508898,pdf.exeBinary or memory string: OriginalFilenamenLMp.exe4 vs 2020101508898,pdf.exe
      Source: 00000005.00000002.922634171.0000000005850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.922634171.0000000005850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.922864991.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.922864991.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.917615639.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.917615639.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.663648395.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.663648395.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.920667605.0000000004289000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: MSBuild.exe PID: 6636, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: MSBuild.exe PID: 6636, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.MSBuild.exe.5850000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.5850000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.6530000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.6530000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.6530000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.6530000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2020101508898,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: mxVDRcXKl.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: MSBuild.exe, 00000008.00000002.669738270.0000000002501000.00000004.00000001.sdmpBinary or memory string: *.sln
      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/9@21/1
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeFile created: C:\Users\user\AppData\Roaming\mxVDRcXKl.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{20d8de57-81d3-46f5-82d3-182b167de96f}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMutant created: \Sessions\1\BaseNamedObjects\queuLtQtseYLkyDVTTr
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1AD6.tmpJump to behavior
      Source: 2020101508898,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 2020101508898,pdf.exeReversingLabs: Detection: 27%
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeFile read: C:\Users\user\Desktop\2020101508898,pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\2020101508898,pdf.exe 'C:\Users\user\Desktop\2020101508898,pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mxVDRcXKl' /XML 'C:\Users\user\AppData\Local\Temp\tmp1AD6.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2630.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mxVDRcXKl' /XML 'C:\Users\user\AppData\Local\Temp\tmp1AD6.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2630.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: 2020101508898,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 2020101508898,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 2020101508898,pdf.exe, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: mxVDRcXKl.exe.0.dr, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.2020101508898,pdf.exe.560000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.2020101508898,pdf.exe.560000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: initial sampleStatic PE information: section name: .text entropy: 7.73191150874
      Source: initial sampleStatic PE information: section name: .text entropy: 7.73191150874
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeFile created: C:\Users\user\AppData\Roaming\mxVDRcXKl.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mxVDRcXKl' /XML 'C:\Users\user\AppData\Local\Temp\tmp1AD6.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.663443423.00000000029CB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 2020101508898,pdf.exe PID: 7012, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 2020101508898,pdf.exe, 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: 2020101508898,pdf.exe, 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2824Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6822Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 1021Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exe TID: 7016Thread sleep time: -52878s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exe TID: 1172Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4240Thread sleep time: -12912720851596678s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6768Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: 2020101508898,pdf.exe, 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: MSBuild.exe, 00000005.00000002.923028434.0000000006F00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: 2020101508898,pdf.exe, 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: 2020101508898,pdf.exe, 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
      Source: MSBuild.exe, 00000005.00000002.923028434.0000000006F00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: MSBuild.exe, 00000005.00000002.923028434.0000000006F00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: 2020101508898,pdf.exe, 00000000.00000002.663394818.0000000002971000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: MSBuild.exe, 00000005.00000002.923028434.0000000006F00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFB008Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mxVDRcXKl' /XML 'C:\Users\user\AppData\Local\Temp\tmp1AD6.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2630.tmp'Jump to behavior
      Source: MSBuild.exe, 00000005.00000002.918510429.000000000168E000.00000004.00000001.sdmpBinary or memory string: Program Manager0fS
      Source: MSBuild.exe, 00000005.00000002.922844082.00000000064AB000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: MSBuild.exe, 00000005.00000002.918647002.0000000001AC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: MSBuild.exe, 00000005.00000002.918647002.0000000001AC0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: MSBuild.exe, 00000005.00000002.918991949.00000000032C4000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa\k(
      Source: MSBuild.exe, 00000005.00000002.918647002.0000000001AC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeQueries volume information: C:\Users\user\Desktop\2020101508898,pdf.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\2020101508898,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      bar