Loading ...

Play interactive tourEdit tour

Analysis Report OFFER.exe

Overview

General Information

Sample Name:OFFER.exe
Analysis ID:322137
MD5:f0a3b70a92ece3204289b3e1e25c9942
SHA1:5af0534294c9f5fd1ada722919ec8583f88f2ac9
SHA256:0a09ec08c850081ffb281f5716859d62093a5f772266503cb67d5e49a4ecd4f4
Tags:NanoCore

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • OFFER.exe (PID: 6088 cmdline: 'C:\Users\user\Desktop\OFFER.exe' MD5: F0A3B70A92ECE3204289B3E1E25C9942)
    • schtasks.exe (PID: 5436 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • OFFER.exe (PID: 5056 cmdline: C:\Users\user\Desktop\OFFER.exe MD5: F0A3B70A92ECE3204289B3E1E25C9942)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1116cd:$x1: NanoCore.ClientPluginHost
    • 0x143eed:$x1: NanoCore.ClientPluginHost
    • 0x11170a:$x2: IClientNetworkHost
    • 0x143f2a:$x2: IClientNetworkHost
    • 0x11523d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x147a5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x111435:$a: NanoCore
      • 0x111445:$a: NanoCore
      • 0x111679:$a: NanoCore
      • 0x11168d:$a: NanoCore
      • 0x1116cd:$a: NanoCore
      • 0x143c55:$a: NanoCore
      • 0x143c65:$a: NanoCore
      • 0x143e99:$a: NanoCore
      • 0x143ead:$a: NanoCore
      • 0x143eed:$a: NanoCore
      • 0x111494:$b: ClientPlugin
      • 0x111696:$b: ClientPlugin
      • 0x1116d6:$b: ClientPlugin
      • 0x143cb4:$b: ClientPlugin
      • 0x143eb6:$b: ClientPlugin
      • 0x143ef6:$b: ClientPlugin
      • 0x1115bb:$c: ProjectData
      • 0x143ddb:$c: ProjectData
      • 0x111fc2:$d: DESCrypto
      • 0x1447e2:$d: DESCrypto
      • 0x11998e:$e: KeepAlive
      00000000.00000002.210800137.0000000002F20000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 1 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OFFER.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\OFFER.exe' , ParentImage: C:\Users\user\Desktop\OFFER.exe, ParentProcessId: 6088, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp', ProcessId: 5436

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: OFFER.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exeAvira: detection malicious, Label: TR/AD.Nanocore.gzsda
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exeVirustotal: Detection: 57%Perma Link
        Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exeMetadefender: Detection: 37%Perma Link
        Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exeReversingLabs: Detection: 68%
        Multi AV Scanner detection for submitted fileShow sources
        Source: OFFER.exeVirustotal: Detection: 57%Perma Link
        Source: OFFER.exeMetadefender: Detection: 37%Perma Link
        Source: OFFER.exeReversingLabs: Detection: 68%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 4x nop then jmp 055428F7h0_2_055427EA

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: udochukwu.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49711 -> 37.18.96.19:2323
        Source: unknownDNS traffic detected: queries for: udochukwu.ddns.net

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_05531016 NtQuerySystemInformation,0_2_05531016
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_05530FE5 NtQuerySystemInformation,0_2_05530FE5
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_00723AED0_2_00723AED
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A209C80_2_02A209C8
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A21D2E0_2_02A21D2E
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A209CD0_2_02A209CD
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A231D80_2_02A231D8
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A28EA80_2_02A28EA8
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A28FB20_2_02A28FB2
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A22F880_2_02A22F88
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A22F770_2_02A22F77
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A23C320_2_02A23C32
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_02A2E5980_2_02A2E598
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_007220500_2_00722050
        Source: OFFER.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: RplepwTnfZYE.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: OFFER.exe, 00000000.00000000.202703558.00000000007B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
        Source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs OFFER.exe
        Source: OFFER.exe, 00000000.00000002.213553763.0000000005BC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs OFFER.exe
        Source: OFFER.exe, 00000000.00000002.212759761.0000000005460000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs OFFER.exe
        Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs OFFER.exe
        Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs OFFER.exe
        Source: OFFER.exe, 00000000.00000002.212203919.0000000005050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs OFFER.exe
        Source: OFFER.exe, 00000003.00000000.208615410.0000000001024000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
        Source: OFFER.exeBinary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
        Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: OFFER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: RplepwTnfZYE.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: OFFER.exe, IdManager.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: RplepwTnfZYE.exe.0.dr, IdManager.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@9/2
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_05530E9A AdjustTokenPrivileges,0_2_05530E9A
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_05530E63 AdjustTokenPrivileges,0_2_05530E63
        Source: C:\Users\user\Desktop\OFFER.exeFile created: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exeJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_01
        Source: C:\Users\user\Desktop\OFFER.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{e9662336-59a2-4ebb-989e-7c602bdb23a8}
        Source: C:\Users\user\Desktop\OFFER.exeMutant created: \Sessions\1\BaseNamedObjects\qkUPEOxutgScEw
        Source: C:\Users\user\Desktop\OFFER.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB5D6.tmpJump to behavior
        Source: OFFER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\OFFER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: OFFER.exeVirustotal: Detection: 57%
        Source: OFFER.exeMetadefender: Detection: 37%
        Source: OFFER.exeReversingLabs: Detection: 68%
        Source: C:\Users\user\Desktop\OFFER.exeFile read: C:\Users\user\Desktop\OFFER.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\OFFER.exe 'C:\Users\user\Desktop\OFFER.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe
        Source: C:\Users\user\Desktop\OFFER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exeJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: OFFER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\OFFER.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: OFFER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: OFFER.exe, IdManager.cs.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: RplepwTnfZYE.exe.0.dr, IdManager.cs.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_00EA2010 push eax; retf 0_2_00EA2011
        Source: initial sampleStatic PE information: section name: .text entropy: 7.70065403732
        Source: initial sampleStatic PE information: section name: .text entropy: 7.70065403732
        Source: C:\Users\user\Desktop\OFFER.exeFile created: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\OFFER.exeFile opened: C:\Users\user\Desktop\OFFER.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.210800137.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: OFFER.exe PID: 6088, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\OFFER.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeWindow / User API: threadDelayed 647Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeWindow / User API: threadDelayed 852Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeWindow / User API: foregroundWindowGot 988Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exe TID: 6064Thread sleep time: -49583s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exe TID: 2796Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exe TID: 5076Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exe TID: 5072Thread sleep time: -40000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
        Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\OFFER.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\OFFER.exeMemory written: C:\Users\user\Desktop\OFFER.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeProcess created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exeJump to behavior
        Source: C:\Users\user\Desktop\OFFER.exeCode function: 0_2_00E9AEFE GetUserNameW,0_2_00E9AEFE
        Source: C:\Users\user\Desktop\OFFER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection111Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection111LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemSystem Information Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet