Analysis Report HMPEX_PO201120112.exe

ID:	320997
Product:	CloudBasic
Start time:	08:49:24
Start date:	20.11.2020
Sample:	HMPEX_PO201120112.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	466374834392ddb16028e2e90a695e22
SHA1:	7bbdf8489efde85fc286a9e1e74d1105fa92e09a
SHA256:	413071284c887dc820673640fef4d8c0f3eb4e23db3ef3f3c4b10c4e76b531a8
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HMPEX_PO201120112.exe.log	ASCII text, with CRLF line terminators	B1DB55991C3DA14E35249AEA1BC357CA	0DD2D91198FDEF296441B12F1A906669B279700C	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
C:\Users\user\AppData\Local\Temp\tmpB95.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	6A01901DB1A09D95B612B3756AE873EB	306D211BCABA87B4775D7AC3E50C8C785AEE2EDB	5CD2734F46C28BCE65DC53CB22D0883F23092505CBB07D229C13F9ABA4C5C67C
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	32D0AAE13696FF7F8AF33B2D22451028	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	Non-ISO extended-ASCII text, with no line terminators	F08B37A6FEC6A11BD207F4EC62242C08	C7D52DFE3E5C9CFD74FCBF0C7E78C36530F68F20	3DA33814894DB347B1E54379EAA7EAC8DD2AF8608BA4D08754910052D29D71CA
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	963D5E2C9C0008DFF05518B47C367A7F	C183D601FABBC9AC8FBFA0A0937DECC677535E74	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	466374834392DDB16028E2E90A695E22	7BBDF8489EFDE85FC286A9E1E74D1105FA92E09A	413071284C887DC820673640FEF4D8C0F3EB4E23DB3EF3F3C4B10C4E76B531A8
C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: HMPEX_PO201120112.exe

ReversingLabs: Detection: 25%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HMPEX_PO201120112.exe

Joe Sandbox ML: detected

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49733 -> 185.19.85.136:1120

Uses dynamic DNS services

Source: unknown

DNS query: name: jackpiaau.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 185.19.85.136:1120

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DATAWIRE-ASCH DATAWIRE-ASCH

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: jackpiaau.ddns.net

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: HMPEX_PO201120112.exe, 00000000.00000002.664536361.0000000000C9A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Detected potential crypto function

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC2CD8		0_2_04CC2CD8
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC147F		0_2_04CC147F
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC3180		0_2_04CC3180
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC0940		0_2_04CC0940
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC36C4		0_2_04CC36C4
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC13E8		0_2_04CC13E8
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC1CCA		0_2_04CC1CCA
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC2CC7		0_2_04CC2CC7
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC48FF		0_2_04CC48FF
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC2080		0_2_04CC2080
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CCA84F		0_2_04CCA84F
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC1040		0_2_04CC1040
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CCA860		0_2_04CCA860
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC2071		0_2_04CC2071
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC3170		0_2_04CC3170
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC3118		0_2_04CC3118
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC4910		0_2_04CC4910
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC13D9		0_2_04CC13D9
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_04CC4B59		0_2_04CC4B59
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_05270070		0_2_05270070
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_05270018		0_2_05270018
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_05276348		0_2_05276348

Sample file is different than original file name gathered from version info

Source: HMPEX_PO201120112.exe	Binary or memory string: OriginalFilename vs HMPEX_PO201120112.exe
Source: HMPEX_PO201120112.exe, 00000000.00000002.668355984.00000000051F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs HMPEX_PO201120112.exe
Source: HMPEX_PO201120112.exe, 00000000.00000002.668742644.0000000005950000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs HMPEX_PO201120112.exe
Source: HMPEX_PO201120112.exe, 00000000.00000002.663505901.0000000000472000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamesACe.exe4 vs HMPEX_PO201120112.exe
Source: HMPEX_PO201120112.exe, 00000000.00000002.667611819.0000000004D80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs HMPEX_PO201120112.exe
Source: HMPEX_PO201120112.exe, 00000000.00000002.664536361.0000000000C9A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs HMPEX_PO201120112.exe
Source: HMPEX_PO201120112.exe, 00000000.00000002.668987111.0000000005A50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs HMPEX_PO201120112.exe
Source: HMPEX_PO201120112.exe, 00000000.00000002.668987111.0000000005A50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs HMPEX_PO201120112.exe
Source: HMPEX_PO201120112.exe	Binary or memory string: OriginalFilenamesACe.exe4 vs HMPEX_PO201120112.exe

Yara signature match

Source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: HMPEX_PO201120112.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yaXwsWQOFrzix.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/8@1/1

Creates files inside the user directory

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

File created: C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exe

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{fcbfffbd-b172-4cd2-bfe0-e3a14f422e6e}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Creates temporary files

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB95.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: HMPEX_PO201120112.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: HMPEX_PO201120112.exe

ReversingLabs: Detection: 25%

Sample reads its own file content

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

File read: C:\Users\user\Desktop\HMPEX_PO201120112.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\HMPEX_PO201120112.exe 'C:\Users\user\Desktop\HMPEX_PO201120112.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: HMPEX_PO201120112.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: HMPEX_PO201120112.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: mscorrc.pdb source: HMPEX_PO201120112.exe, 00000000.00000002.667611819.0000000004D80000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_00473365 push esp; retf		0_2_00473368
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Code function: 0_2_05270006 push ss; iretd		0_2_05270016

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.65544559702
Source: initial sample	Static PE information: section name: .text entropy: 7.65544559702

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

File created: C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp'

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.665529938.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 584			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 1494			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 720			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 661			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe TID: 7084	Thread sleep time: -53674s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe TID: 7104	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4700	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
Source: HMPEX_PO201120112.exe, 00000000.00000002.664579735.0000000000CCB000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Queries a list of all running processes

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: C9D008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe			Jump to behavior

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Source: HMPEX_PO201120112.exe, 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY