Loading ...

Play interactive tourEdit tour

Analysis Report ORDER PMX-PT-2001 STOCK+NOVO.exe

Overview

General Information

Sample Name:ORDER PMX-PT-2001 STOCK+NOVO.exe
Analysis ID:323078
MD5:ce724d85d4615439ff27f5573c9aaa8f
SHA1:5de819c63b446cf675c69376c9d7ec478dea9060
SHA256:7534a4ffb8ef83103485bcce9d51b2af93730a9d578e2b8b5f7ff473c0f8092d
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ORDER PMX-PT-2001 STOCK+NOVO.exe (PID: 7136 cmdline: 'C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exe' MD5: CE724D85D4615439FF27F5573C9AAA8F)
    • schtasks.exe (PID: 5776 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OBtaLehuZHtd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1BEF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 4544 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000000.00000002.360073804.0000000003FDD000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1109d:$x1: NanoCore.ClientPluginHost
    • 0x438bd:$x1: NanoCore.ClientPluginHost
    • 0x110da:$x2: IClientNetworkHost
    • 0x438fa:$x2: IClientNetworkHost
    • 0x14c0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4742d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.360073804.0000000003FDD000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.MSBuild.exe.5960000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      3.2.MSBuild.exe.5960000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      3.2.MSBuild.exe.5960000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        3.2.MSBuild.exe.54f0000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        3.2.MSBuild.exe.54f0000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 4544, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OBtaLehuZHtd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1BEF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OBtaLehuZHtd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1BEF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exe' , ParentImage: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exe, ParentProcessId: 7136, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OBtaLehuZHtd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1BEF.tmp', ProcessId: 5776

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\OBtaLehuZHtd.exeVirustotal: Detection: 29%Perma Link
        Multi AV Scanner detection for submitted fileShow sources
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exeVirustotal: Detection: 29%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.360073804.0000000003FDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.599041317.0000000005960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.597422084.00000000041A7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER PMX-PT-2001 STOCK+NOVO.exe PID: 7136, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4544, type: MEMORY
        Source: Yara matchFile source: 3.2.MSBuild.exe.5960000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.MSBuild.exe.5960000.4.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\OBtaLehuZHtd.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exeJoe Sandbox ML: detected
        Source: 3.2.MSBuild.exe.5960000.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: 3.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: global trafficTCP traffic: 192.168.2.6:49714 -> 185.157.162.81:40700
        Source: Joe Sandbox ViewIP Address: 185.157.162.81 185.157.162.81
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.210
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.210
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 104.108.60.202
        Source: unknownTCP traffic detected without corresponding DNS query: 104.108.60.202
        Source: unknownTCP traffic detected without corresponding DNS query: 104.108.60.202
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.191
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownDNS traffic detected: queries for: g.msn.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49678
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49677
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
        Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
        Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: MSBuild.exe, 00000003.00000002.599041317.0000000005960000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.360073804.0000000003FDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.599041317.0000000005960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.597422084.00000000041A7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER PMX-PT-2001 STOCK+NOVO.exe PID: 7136, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4544, type: MEMORY
        Source: Yara matchFile source: 3.2.MSBuild.exe.5960000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.MSBuild.exe.5960000.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.360073804.0000000003FDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.360073804.0000000003FDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.599041317.0000000005960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.598672636.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.597422084.00000000041A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: ORDER PMX-PT-2001 STOCK+NOVO.exe PID: 7136, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: ORDER PMX-PT-2001 STOCK+NOVO.exe PID: 7136, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: MSBuild.exe PID: 4544, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: MSBuild.exe PID: 4544, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.MSBuild.exe.5960000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.MSBuild.exe.54f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.MSBuild.exe.5960000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_0106AB1E NtQuerySystemInformation,0_2_0106AB1E
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_0106A9AE NtQueryInformationProcess,0_2_0106A9AE
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_0106A98C NtQueryInformationProcess,0_2_0106A98C
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_0106AAE3 NtQuerySystemInformation,0_2_0106AAE3
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_054C10CA NtQuerySystemInformation,3_2_054C10CA
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_054C108F NtQuerySystemInformation,3_2_054C108F
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE08B00_2_02AE08B0
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE00990_2_02AE0099
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE183D0_2_02AE183D
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE30740_2_02AE3074
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE8DF80_2_02AE8DF8
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE29000_2_02AE2900
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE9FA80_2_02AE9FA8
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE9FB80_2_02AE9FB8
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE33E80_2_02AE33E8
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE33F80_2_02AE33F8
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE08A00_2_02AE08A0
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE28F30_2_02AE28F3
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE19A30_2_02AE19A3
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE8DE90_2_02AE8DE9
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AEA1FB0_2_02AEA1FB
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE91780_2_02AE9178
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_05925C480_2_05925C48
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_059200060_2_05920006
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_05925C390_2_05925C39
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_059200700_2_05920070
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_05929B200_2_05929B20
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_059252D80_2_059252D8
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_059252CB0_2_059252CB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_053938503_2_05393850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05398F583_2_05398F58
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_053983583_2_05398358
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0539ABB83_2_0539ABB8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05392FA83_2_05392FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_053923A03_2_053923A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0539901F3_2_0539901F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0539306F3_2_0539306F
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exeBinary or memory string: OriginalFilename vs ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.362888953.0000000005F20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.365523105.0000000006020000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.365523105.0000000006020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.362224387.00000000057D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.360789536.0000000005380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.355858899.0000000000692000.00000002.00020000.sdmpBinary or memory string: OriginalFilename2e6s.exeP vs ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exeBinary or memory string: OriginalFilename2e6s.exeP vs ORDER PMX-PT-2001 STOCK+NOVO.exe
        Source: 00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.592799411.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.360073804.0000000003FDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.360073804.0000000003FDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.599041317.0000000005960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.599041317.0000000005960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.598672636.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.598672636.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.597422084.00000000041A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: ORDER PMX-PT-2001 STOCK+NOVO.exe PID: 7136, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: ORDER PMX-PT-2001 STOCK+NOVO.exe PID: 7136, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: MSBuild.exe PID: 4544, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: MSBuild.exe PID: 4544, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.MSBuild.exe.5960000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.MSBuild.exe.5960000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.MSBuild.exe.54f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.MSBuild.exe.54f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.MSBuild.exe.5960000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.MSBuild.exe.5960000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@4/1
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_0106A65E AdjustTokenPrivileges,0_2_0106A65E
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_0106A627 AdjustTokenPrivileges,0_2_0106A627
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_054C0E8A AdjustTokenPrivileges,3_2_054C0E8A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_054C0E53 AdjustTokenPrivileges,3_2_054C0E53
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeFile created: C:\Users\user\AppData\Roaming\OBtaLehuZHtd.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ebbd9300-ed31-4d29-88d8-4f7b7a7f8653}
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_01
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeMutant created: \Sessions\1\BaseNamedObjects\aImaDyYoa
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1BEF.tmpJump to behavior
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exeVirustotal: Detection: 29%
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeFile read: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exe 'C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OBtaLehuZHtd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1BEF.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OBtaLehuZHtd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1BEF.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.360789536.0000000005380000.00000002.00000001.sdmp, MSBuild.exe, 00000003.00000002.598762495.0000000005520000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_00698320 push edi; ret 0_2_0069832F
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_02AE7565 push edx; retf 0_2_02AE756B
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_05928028 push esp; retf 0_2_05928029
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_014A750C pushad ; retf 3_2_014A750D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_014A9D30 pushad ; retf 3_2_014A9D31
        Source: initial sampleStatic PE information: section name: .text entropy: 7.26187672346
        Source: initial sampleStatic PE information: section name: .text entropy: 7.26187672346
        Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeFile created: C:\Users\user\AppData\Roaming\OBtaLehuZHtd.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OBtaLehuZHtd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1BEF.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.357258593.0000000002F01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.357341507.0000000002F8C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER PMX-PT-2001 STOCK+NOVO.exe PID: 7136, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.357258593.0000000002F01000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.357258593.0000000002F01000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 591Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 863Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 386Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 804Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exe TID: 7140Thread sleep time: -50704s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6072Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_054C231E GetSystemInfo,3_2_054C231E
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.357258593.0000000002F01000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: MSBuild.exe, 00000003.00000002.599513915.0000000006220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.357258593.0000000002F01000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.357258593.0000000002F01000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
        Source: MSBuild.exe, 00000003.00000002.593733078.0000000001308000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW^L
        Source: MSBuild.exe, 00000003.00000002.599513915.0000000006220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: MSBuild.exe, 00000003.00000002.599513915.0000000006220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: MSBuild.exe, 00000003.00000002.593733078.0000000001308000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: ORDER PMX-PT-2001 STOCK+NOVO.exe, 00000000.00000002.357258593.0000000002F01000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: MSBuild.exe, 00000003.00000002.599513915.0000000006220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: D20008Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OBtaLehuZHtd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1BEF.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
        Source: MSBuild.exe, 00000003.00000002.595744580.0000000003171000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: MSBuild.exe, 00000003.00000002.594332828.0000000001920000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: MSBuild.exe, 00000003.00000002.594332828.0000000001920000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: MSBuild.exe, 00000003.00000002.594332828.0000000001920000.00000002.00000001.sdmpBinary or memory string: &Program Manager
        Source: MSBuild.exe, 00000003.00000002.594332828.0000000001920000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\ORDER PMX-PT-2001 STOCK+NOVO.exeCode function: 0_2_0106B912 GetUserNameW,0_2_0106B912
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        bar