Analysis Report z2d6Yt5v.exe

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: z2d6Yt5v.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Avira: detection malicious, Label: TR/Dropper.Gen7

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Virustotal: Detection: 84%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Metadefender: Detection: 89%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	Virustotal: Detection: 84%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	Metadefender: Detection: 89%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: z2d6Yt5v.exe	Virustotal: Detection: 84%			Perma Link
Source: z2d6Yt5v.exe	Metadefender: Detection: 89%			Perma Link

Yara detected Njrat

Source: Yara match	File source: z2d6Yt5v.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
Source: Yara match	File source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
Source: Yara match	File source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: z2d6Yt5v.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 15.2.Core Service.exe.920000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 15.0.Core Service.exe.920000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 7.2.Core Service.exe.ec0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 2.2.Core Service.exe.8b0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 2.0.Core Service.exe.8b0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 10.0.Core Service.exe.810000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 7.0.Core Service.exe.ec0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 10.2.Core Service.exe.810000.0.unpack	Avira: Label: TR/Dropper.Gen7

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49722 -> 81.249.236.18:5553

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: noiphack93.hopto.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Source: z2d6Yt5v.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: Core Service.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 2.2.Core Service.exe.8b0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 2.0.Core Service.exe.8b0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 7.2.Core Service.exe.ec0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 7.0.Core Service.exe.ec0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.0.Core Service.exe.810000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.2.Core Service.exe.810000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 15.2.Core Service.exe.920000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 15.0.Core Service.exe.920000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud:

Yara detected Njrat

Source: Yara match	File source: z2d6Yt5v.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
Source: Yara match	File source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
Source: Yara match	File source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: z2d6Yt5v.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: z2d6Yt5v.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: z2d6Yt5v.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Code function: 2_2_02B31BBA NtQuerySystemInformation,		2_2_02B31BBA
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Code function: 2_2_02B31B7F NtQuerySystemInformation,		2_2_02B31B7F

Sample file is different than original file name gathered from version info

Source: z2d6Yt5v.exe, 00000000.00000002.211502125.0000000004E50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs z2d6Yt5v.exe
Source: z2d6Yt5v.exe, 00000000.00000002.211502125.0000000004E50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs z2d6Yt5v.exe
Source: z2d6Yt5v.exe, 00000000.00000002.211523908.0000000004E80000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs z2d6Yt5v.exe

Yara signature match

Source: z2d6Yt5v.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: z2d6Yt5v.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: z2d6Yt5v.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Classification label

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@9/5@5/1

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Code function: 2_2_02B31606 AdjustTokenPrivileges,		2_2_02B31606
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Code function: 2_2_02B315CF AdjustTokenPrivileges,		2_2_02B315CF

Creates files inside the user directory

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\z2d6Yt5v.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Mutant created: \Sessions\1\BaseNamedObjects\af48625ee196d906557ab2d838a9cc2f

Creates temporary files

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

File created: C:\Users\user\AppData\Local\Temp\Core Service.exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: z2d6Yt5v.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: z2d6Yt5v.exe	Virustotal: Detection: 84%
Source: z2d6Yt5v.exe	Metadefender: Detection: 89%

Sample reads its own file content

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

File read: C:\Users\user\Desktop\z2d6Yt5v.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\z2d6Yt5v.exe 'C:\Users\user\Desktop\z2d6Yt5v.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

PE file contains a COM descriptor data directory

Source: z2d6Yt5v.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: z2d6Yt5v.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: z2d6Yt5v.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Core Service.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Core Service.exe.810000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Core Service.exe.810000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.Core Service.exe.920000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.Core Service.exe.920000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Code function: 0_2_005E5021 push cs; ret		0_2_005E5022
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Code function: 2_2_008B5021 push cs; ret		2_2_008B5022
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Code function: 7_2_00EC5021 push cs; ret		7_2_00EC5022
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Code function: 10_2_00815021 push cs; ret		10_2_00815022
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Code function: 15_2_00925021 push cs; ret		15_2_00925022

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe			Jump to dropped file
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	File created: C:\Users\user\AppData\Local\Temp\Core Service.exe			Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f

Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe

Jump to behavior

Creates an autostart registry key

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\z2d6Yt5v.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe

Window / User API: threadDelayed 6312

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\z2d6Yt5v.exe TID: 3984	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 5036	Thread sleep count: 6312 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 2308	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 2044	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 5372	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Core Service.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Core Service.exe, 00000002.00000002.460157889.000000000103C000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWdingCollectionE)
Source: Core Service.exe, 00000002.00000002.460157889.000000000103C000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliceFiltersSection, System.Web.Mobile, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Source: z2d6Yt5v.exe, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: z2d6Yt5v.exe, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Core Service.exe.0.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: Core Service.exe.0.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.2.Core Service.exe.8b0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.0.Core Service.exe.8b0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 7.2.Core Service.exe.ec0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 7.0.Core Service.exe.ec0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.0.Core Service.exe.810000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.0.Core Service.exe.810000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.2.Core Service.exe.810000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.2.Core Service.exe.810000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.2.Core Service.exe.920000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 15.2.Core Service.exe.920000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.0.Core Service.exe.920000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 15.0.Core Service.exe.920000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\z2d6Yt5v.exe

Process created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe'

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp	Binary or memory string: Program Manager|9kr
Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Local\Temp\Core Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewall

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE

Stealing of Sensitive Information:

Yara detected Njrat

Source: Yara match	File source: z2d6Yt5v.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
Source: Yara match	File source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
Source: Yara match	File source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected njRat

Source: z2d6Yt5v.exe, OK.cs	.Net Code: njRat config detected
Source: Core Service.exe.0.dr, OK.cs	.Net Code: njRat config detected
Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.cs	.Net Code: njRat config detected
Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 10.0.Core Service.exe.810000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 10.2.Core Service.exe.810000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 15.2.Core Service.exe.920000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 15.0.Core Service.exe.920000.0.unpack, OK.cs	.Net Code: njRat config detected

Yara detected Njrat

Source: Yara match	File source: z2d6Yt5v.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
Source: Yara match	File source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
Source: Yara match	File source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
Source: Yara match	File source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE