Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Sample Name: Quotation ATB-PR28500KINH.exe
Analysis ID: 321011
MD5: d17a52d8263a29f0afffc30761720be6
SHA1: ff9fa32a78a32e735ea679041af9346947c0e6de
SHA256: 96a34a59ffd94ac128d876e672507847b2ca5261b5819ae1db1402ff641375ad
Tags: exe

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: Quotation ATB-PR28500KINH.exe.5776.3.memstr Malware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.139"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Yara detected Nanocore RAT
Source: Yara match File source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\4esd Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Quotation ATB-PR28500KINH.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Networking:

barindex
Uses ping.exe to check the status of other devices and networks
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 185.140.53.139:1430
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: unknown DNS traffic detected: queries for: petroleum.sytes.net
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Quotation ATB-PR28500KINH.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 0_2_00746ED1 0_2_00746ED1
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_00F86ED1 3_2_00F86ED1
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_0311E471 3_2_0311E471
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_0311E480 3_2_0311E480
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_0311BBD4 3_2_0311BBD4
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CDEC59 3_2_05CDEC59
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CDF8D0 3_2_05CDF8D0
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CD8578 3_2_05CD8578
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CD8646 3_2_05CD8646
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CD12C0 3_2_05CD12C0
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CD0240 3_2_05CD0240
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CDD258 3_2_05CDD258
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CDBD60 3_2_05CDBD60
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CD8F73 3_2_05CD8F73
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CDC978 3_2_05CDC978
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CD7970 3_2_05CD7970
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CD88C8 3_2_05CD88C8
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CDCA36 3_2_05CDCA36
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074BAF68 3_2_074BAF68
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074B7548 3_2_074B7548
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074B6C78 3_2_074B6C78
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074B0378 3_2_074B0378
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074B0040 3_2_074B0040
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074B25F0 3_2_074B25F0
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074B0920 3_2_074B0920
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074B6930 3_2_074B6930
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_074B00FE 3_2_074B00FE
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 7_2_008E6ED1 7_2_008E6ED1
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804
PE file contains strange resources
Source: Quotation ATB-PR28500KINH.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4esd.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HJdyTuap.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.836297647.0000000005660000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameINFmfMfZgCqnbcnu.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000003.716656516.00000000017D8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.835818804.0000000006560000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.826732674.00000000016FA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000007.00000002.806393399.0000000005700000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameINFmfMfZgCqnbcnu.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000007.00000002.805904969.0000000005300000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Yara signature match
Source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Quotation ATB-PR28500KINH.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4esd.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HJdyTuap.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.adwa.evad.winEXE@45818/14@1/3
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File created: C:\Users\user\AppData\Roaming\4esd Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5904
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Mutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{c7093f5f-20e4-4efa-a2b8-e96b9af4ad8c}
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File created: C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp Jump to behavior
Source: Quotation ATB-PR28500KINH.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Quotation ATB-PR28500KINH.exe&quot;)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Source: unknown Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Quotation ATB-PR28500KINH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Quotation ATB-PR28500KINH.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: (PGo0C:\Windows\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836776558.00000000072CC000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836393028.0000000006A70000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836393028.0000000006A70000.00000004.00000001.sdmp
Source: Binary string: System.pdb" source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.755396910.0000000000DCE000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbO source: WerFault.exe, 0000000C.00000003.764146679.0000000005019000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.754559178.0000000000DC3000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb4 source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb* source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbi source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdbL source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.755538728.0000000000DD4000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: i.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.754559178.0000000000DC3000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836776558.00000000072CC000.00000004.00000010.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERD2B1.tmp.dmp.12.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb2 source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.827053234.00000000017CF000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERD2B1.tmp.dmp.12.dr
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
Source: Binary string: System.ni.pdbj source: WerFault.exe, 0000000C.00000003.764414638.0000000005023000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
Source: Binary string: System.pdbL source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.755538728.0000000000DD4000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp, WERD2B1.tmp.dmp.12.dr
Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.755396910.0000000000DCE000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdbo source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32L~ source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836393028.0000000006A70000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb> source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: version.pdb, source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdbj source: WerFault.exe, 0000000C.00000003.764414638.0000000005023000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000C.00000003.764730868.0000000004F00000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdbo source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
PE file contains an invalid checksum
Source: HJdyTuap.exe.0.dr Static PE information: real checksum: 0x100e9b should be: 0x101c9b
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CDEC42 push es; ret 3_2_05CDEC50
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Code function: 3_2_05CDEC22 push es; ret 3_2_05CDEC30
Source: initial sample Static PE information: section name: .text entropy: 7.86677123443
Source: initial sample Static PE information: section name: .text entropy: 7.86677123443
Source: initial sample Static PE information: section name: .text entropy: 7.86677123443
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Jump to dropped file
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File created: C:\Users\user\AppData\Roaming\4esd Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File created: C:\Users\user\AppData\Roaming\4esd Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe File opened: C:\Users\user\AppData\Roaming\4esd:Zone.Identifier read attributes | delete Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WerFault.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleep
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Window / User API: threadDelayed 874 Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Window / User API: threadDelayed 5053 Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Window / User API: threadDelayed 4445 Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Window / User API: foregroundWindowGot 421 Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Window / User API: foregroundWindowGot 358 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6264 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 5720 Thread sleep count: 113 > 30
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\SysWOW64\WerFault.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.836297647.0000000005660000.00000004.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000007.00000002.806393399.0000000005700000.00000004.00000001.sdmp Binary or memory string: U!W5=T#TqeMuR=y
Source: WerFault.exe, 0000000C.00000002.794218928.0000000004D10000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000C.00000002.794075549.0000000004C20000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: WerFault.exe, 0000000C.00000002.794115721.0000000004C4A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000C.00000002.794218928.0000000004D10000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000C.00000002.794218928.0000000004D10000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.826998709.00000000017A4000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 0000000C.00000002.794218928.0000000004D10000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Section loaded: unknown target: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.828047366.000000000353F000.00000004.00000001.sdmp Binary or memory string: Program Managerh
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.837503016.000000000794E000.00000004.00000010.sdmp Binary or memory string: Program Managerram Manager,1
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.828047366.000000000353F000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836146987.000000000694D000.00000004.00000010.sdmp Binary or memory string: Program Managerram Manager

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000003.716656516.00000000017D8000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Quotation ATB-PR28500KINH.exe, 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321011 Sample: Quotation ATB-PR28500KINH.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 11 other signatures 2->64 8 Quotation ATB-PR28500KINH.exe 3 2->8         started        12 Quotation ATB-PR28500KINH.exe 2->12         started        process3 file4 42 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\Roaming\4esd, PE32 8->44 dropped 46 C:\Users\user\...\4esd:Zone.Identifier, ASCII 8->46 dropped 68 Maps a DLL or memory area into another process 8->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->70 14 Quotation ATB-PR28500KINH.exe 12 8->14         started        18 WerFault.exe 12->18         started        signatures5 process6 dnsIp7 54 petroleum.sytes.net 185.140.53.139, 1430, 49746 DAVID_CRAIGGG Sweden 14->54 48 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->48 dropped 50 C:\Users\user\AppData\Local\...\tmp5BDB.tmp, XML 14->50 dropped 20 cmd.exe 14->20         started        24 schtasks.exe 14->24         started        26 schtasks.exe 14->26         started        28 schtasks.exe 14->28         started        56 192.168.2.1 unknown unknown 18->56 file8 process9 dnsIp10 52 1.1.1.1 CLOUDFLARENETUS Australia 20->52 66 Uses ping.exe to sleep 20->66 30 conhost.exe 20->30         started        32 taskkill.exe 20->32         started        34 PING.EXE 20->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS true
185.140.53.139
 unknown Sweden
209623 DAVID_CRAIGGG true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
petroleum.sytes.net 185.140.53.139 true