Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order #(PO-4147074).exe

Overview

General Information

Sample Name:Purchase Order #(PO-4147074).exe
Analysis ID:337361
MD5:b3ddd600d5608af2f0e334d71fff40ed
SHA1:d3985f7660b23bb7837ab58a464259e73b15feef
SHA256:9947c185b51b600edf4ad76e442cfbdf8a7621140c5197001844891312b69146
Tags:NanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order #(PO-4147074).exe (PID: 5284 cmdline: 'C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe' MD5: B3DDD600D5608AF2F0E334D71FFF40ED)
    • schtasks.exe (PID: 6004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FTbYDVOHFNt' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E62.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["212.83.46.26:4021", "212.83.46.26", "127.0.0.1:4021"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.589286551.0000000005300000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000003.00000002.589286551.0000000005300000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 17 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      3.2.Purchase Order #(PO-4147074).exe.5300000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      3.2.Purchase Order #(PO-4147074).exe.5300000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe, ProcessId: 1536, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FTbYDVOHFNt' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E62.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FTbYDVOHFNt' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E62.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe' , ParentImage: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe, ParentProcessId: 5284, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FTbYDVOHFNt' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E62.tmp', ProcessId: 6004

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: Purchase Order #(PO-4147074).exe.1536.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["212.83.46.26:4021", "212.83.46.26", "127.0.0.1:4021"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.583672189.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY
      Source: Yara matchFile source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\FTbYDVOHFNt.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Purchase Order #(PO-4147074).exeJoe Sandbox ML: detected
      Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpackAvira: Label: TR/NanoCore.fadte
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: Purchase Order #(PO-4147074).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Purchase Order #(PO-4147074).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeCode function: 4x nop then jmp 05E92236h0_2_05E92163

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 212.83.46.26:4021
      Source: Malware configuration extractorIPs: 212.83.46.26
      Source: Malware configuration extractorIPs: 127.0.0.1:4021
      Source: global trafficTCP traffic: 192.168.2.3:49723 -> 212.83.46.26:4021
      Source: Joe Sandbox ViewASN Name: TTMDE TTMDE
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.229892856.0000000000DCB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.583672189.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY
      Source: Yara matchFile source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.589286551.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order #(PO-4147074).exe.5300000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Purchase Order #(PO-4147074).exe
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeCode function: 3_2_00F8E4803_2_00F8E480
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeCode function: 3_2_00F8E4713_2_00F8E471
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeCode function: 3_2_00F8BBD43_2_00F8BBD4
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.239810218.00000000064C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.239810218.00000000064C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.239553221.0000000005CA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.229892856.0000000000DCB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.229611492.0000000000678000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventProviderWriter.exeZ vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.239684106.00000000063C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.581627878.00000000006B8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventProviderWriter.exeZ vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.583672189.0000000002A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591844560.0000000005E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.590522113.0000000005B50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exeBinary or memory string: OriginalFilenameEventProviderWriter.exeZ vs Purchase Order #(PO-4147074).exe
      Source: Purchase Order #(PO-4147074).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.589286551.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.589286551.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Purchase Order #(PO-4147074).exe.5300000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order #(PO-4147074).exe.5300000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Purchase Order #(PO-4147074).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: FTbYDVOHFNt.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@0/4
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeFile created: C:\Users\user\AppData\Roaming\FTbYDVOHFNt.exeJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeMutant created: \Sessions\1\BaseNamedObjects\kTGjqdiOHfstXxugVi
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3b0a05ab-e8be-49ea-960f-63681280e339}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_01
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeFile created: C:\Users\user\AppData\Local\Temp\tmp8E62.tmpJump to behavior
      Source: Purchase Order #(PO-4147074).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000000.201664009.00000000005B2000.00000002.00020000.sdmp, Purchase Order #(PO-4147074).exe, 00000003.00000000.228729264.00000000005F2000.00000002.00020000.sdmpBinary or memory string: SELECT BILLNO, CUSTOMERNAME, HOSPITAL_NAME, BLOOD_GROUP, PURCHASE_DATE, NO_OF_PACKET, PRICE FROM CUSTOMER WHERE BILLNO={0}<tr>K<td><b>Bill No.: </b>&nbsp;&nbsp;<tt>
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeFile read: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe 'C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FTbYDVOHFNt' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E62.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FTbYDVOHFNt' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E62.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess created: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Purchase Order #(PO-4147074).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Purchase Order #(PO-4147074).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeCode function: 0_2_05E94C95 push FFFFFF8Bh; iretd 0_2_05E94C97
      Source: initial sampleStatic PE information: section name: .text entropy: 7.78209030253
      Source: initial sampleStatic PE information: section name: .text entropy: 7.78209030253
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeFile created: C:\Users\user\AppData\Roaming\FTbYDVOHFNt.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FTbYDVOHFNt' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E62.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeFile opened: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeWindow / User API: threadDelayed 4875Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeWindow / User API: threadDelayed 4773Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeWindow / User API: foregroundWindowGot 1367Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeWindow / User API: foregroundWindowGot 455Jump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe TID: 4088Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe TID: 5280Thread sleep time: -52947s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe TID: 2992Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe TID: 6096Thread sleep time: -17524406870024063s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.229916054.0000000000DFF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exeProcess information queried: ProcessInformationJump to behavior