Loading ...

Play interactive tourEdit tour

Analysis Report HMPEX_PO201120112.exe

Overview

General Information

Sample Name:HMPEX_PO201120112.exe
Analysis ID:320997
MD5:466374834392ddb16028e2e90a695e22
SHA1:7bbdf8489efde85fc286a9e1e74d1105fa92e09a
SHA256:413071284c887dc820673640fef4d8c0f3eb4e23db3ef3f3c4b10c4e76b531a8
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • HMPEX_PO201120112.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\HMPEX_PO201120112.exe' MD5: 466374834392DDB16028E2E90A695E22)
    • schtasks.exe (PID: 6264 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 6328 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10f77d:$x1: NanoCore.ClientPluginHost
    • 0x141f9d:$x1: NanoCore.ClientPluginHost
    • 0x10f7ba:$x2: IClientNetworkHost
    • 0x141fda:$x2: IClientNetworkHost
    • 0x1132ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x145b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x10f4e5:$a: NanoCore
      • 0x10f4f5:$a: NanoCore
      • 0x10f729:$a: NanoCore
      • 0x10f73d:$a: NanoCore
      • 0x10f77d:$a: NanoCore
      • 0x141d05:$a: NanoCore
      • 0x141d15:$a: NanoCore
      • 0x141f49:$a: NanoCore
      • 0x141f5d:$a: NanoCore
      • 0x141f9d:$a: NanoCore
      • 0x10f544:$b: ClientPlugin
      • 0x10f746:$b: ClientPlugin
      • 0x10f786:$b: ClientPlugin
      • 0x141d64:$b: ClientPlugin
      • 0x141f66:$b: ClientPlugin
      • 0x141fa6:$b: ClientPlugin
      • 0x10f66b:$c: ProjectData
      • 0x141e8b:$c: ProjectData
      • 0x1cb57d:$c: ProjectData
      • 0x23579d:$c: ProjectData
      • 0x110072:$d: DESCrypto
      00000000.00000002.665529938.0000000002B61000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 4 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 6328, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\HMPEX_PO201120112.exe' , ParentImage: C:\Users\user\Desktop\HMPEX_PO201120112.exe, ParentProcessId: 7080, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp', ProcessId: 6264

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exeReversingLabs: Detection: 25%
        Multi AV Scanner detection for submitted fileShow sources
        Source: HMPEX_PO201120112.exeReversingLabs: Detection: 25%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: HMPEX_PO201120112.exeJoe Sandbox ML: detected

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49733 -> 185.19.85.136:1120
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: jackpiaau.ddns.net
        Source: global trafficTCP traffic: 192.168.2.4:49733 -> 185.19.85.136:1120
        Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
        Source: unknownDNS traffic detected: queries for: jackpiaau.ddns.net
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: HMPEX_PO201120112.exe, 00000000.00000002.664536361.0000000000C9A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC2CD80_2_04CC2CD8
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC147F0_2_04CC147F
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC31800_2_04CC3180
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC09400_2_04CC0940
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC36C40_2_04CC36C4
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC13E80_2_04CC13E8
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC1CCA0_2_04CC1CCA
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC2CC70_2_04CC2CC7
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC48FF0_2_04CC48FF
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC20800_2_04CC2080
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CCA84F0_2_04CCA84F
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC10400_2_04CC1040
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CCA8600_2_04CCA860
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC20710_2_04CC2071
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC31700_2_04CC3170
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC31180_2_04CC3118
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC49100_2_04CC4910
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC13D90_2_04CC13D9
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_04CC4B590_2_04CC4B59
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_052700700_2_05270070
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_052700180_2_05270018
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_052763480_2_05276348
        Source: HMPEX_PO201120112.exeBinary or memory string: OriginalFilename vs HMPEX_PO201120112.exe
        Source: HMPEX_PO201120112.exe, 00000000.00000002.668355984.00000000051F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs HMPEX_PO201120112.exe
        Source: HMPEX_PO201120112.exe, 00000000.00000002.668742644.0000000005950000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs HMPEX_PO201120112.exe
        Source: HMPEX_PO201120112.exe, 00000000.00000002.663505901.0000000000472000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesACe.exe4 vs HMPEX_PO201120112.exe
        Source: HMPEX_PO201120112.exe, 00000000.00000002.667611819.0000000004D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs HMPEX_PO201120112.exe
        Source: HMPEX_PO201120112.exe, 00000000.00000002.664536361.0000000000C9A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs HMPEX_PO201120112.exe
        Source: HMPEX_PO201120112.exe, 00000000.00000002.668987111.0000000005A50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs HMPEX_PO201120112.exe
        Source: HMPEX_PO201120112.exe, 00000000.00000002.668987111.0000000005A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs HMPEX_PO201120112.exe
        Source: HMPEX_PO201120112.exeBinary or memory string: OriginalFilenamesACe.exe4 vs HMPEX_PO201120112.exe
        Source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: HMPEX_PO201120112.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: yaXwsWQOFrzix.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@1/1
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeFile created: C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fcbfffbd-b172-4cd2-bfe0-e3a14f422e6e}
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB95.tmpJump to behavior
        Source: HMPEX_PO201120112.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: HMPEX_PO201120112.exeReversingLabs: Detection: 25%
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeFile read: C:\Users\user\Desktop\HMPEX_PO201120112.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\HMPEX_PO201120112.exe 'C:\Users\user\Desktop\HMPEX_PO201120112.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: HMPEX_PO201120112.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: HMPEX_PO201120112.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: HMPEX_PO201120112.exe, 00000000.00000002.667611819.0000000004D80000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_00473365 push esp; retf 0_2_00473368
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeCode function: 0_2_05270006 push ss; iretd 0_2_05270016
        Source: initial sampleStatic PE information: section name: .text entropy: 7.65544559702
        Source: initial sampleStatic PE information: section name: .text entropy: 7.65544559702
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeFile created: C:\Users\user\AppData\Roaming\yaXwsWQOFrzix.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp'
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.665529938.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 584Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 1494Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 720Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 661Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe TID: 7084Thread sleep time: -53674s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exe TID: 7104Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4700Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
        Source: HMPEX_PO201120112.exe, 00000000.00000002.664579735.0000000000CCB000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: HMPEX_PO201120112.exe, 00000000.00000002.665594862.0000000002BB5000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: C9D008Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yaXwsWQOFrzix' /XML 'C:\Users\user\AppData\Local\Temp\tmpB95.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\HMPEX_PO201120112.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: HMPEX_PO201120112.exe, 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.666063227.0000000003B64000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: HMPEX_PO201120112.exe PID: 7080, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection311Masquerading1Input Capture1Security Software Discovery221Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection311NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process