Analysis Report Payment_Confirmation pdf.exe

Overview

General Information

Sample Name: Payment_Confirmation pdf.exe
Analysis ID: 337596
MD5: 767f88a961bfbc1b8f8419a32fbade0b
SHA1: 5577d0635fca390c305ff560ca80a6ea19ff7c5b
SHA256: 4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b
Tags: exe

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
Allocates memory in foreign processes
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Payment_Confirmation pdf.exe Avira: detected
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY
Machine Learning detection for sample
Source: Payment_Confirmation pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.Payment_Confirmation pdf.exe.590000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 0.0.Payment_Confirmation pdf.exe.590000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Payment_Confirmation pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Payment_Confirmation pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: Accessibility.pdb source: vbc.exe, 00000009.00000003.246333764.0000000005245000.00000004.00000001.sdmp
Source: Binary string: RunPE.pdb source: Payment_Confirmation pdf.exe, 00000000.00000002.233292165.0000000002A01000.00000004.00000001.sdmp
Source: Binary string: vbc.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source: Binary string: Accessibility.pdbBSJB source: vbc.exe, 00000009.00000003.246333764.0000000005245000.00000004.00000001.sdmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00DBD5B1 FindFirstFileW,WideCharToMultiByte,FindFirstFileA, 11_2_00DBD5B1

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49724 -> 185.244.38.210:7008
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.38.210
Source: dhcpmon.exe, 0000000D.00000002.263266383.0000000000BAA000.00000004.00000010.sdmp String found in binary or memory: http://go.microsoft

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Executable has a suspicious name (potential lure to open the executable)
Source: Payment_Confirmation pdf.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment_Confirmation pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Code function: 0_2_00F46878 0_2_00F46878
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Code function: 0_2_00F41820 0_2_00F41820
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Code function: 0_2_00F41811 0_2_00F41811
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Code function: 0_2_00F415C0 0_2_00F415C0
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Code function: 0_2_00F415B1 0_2_00F415B1
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Code function: 0_2_00F40682 0_2_00F40682
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D420DD 11_2_00D420DD
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D42066 11_2_00D42066
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00E91438 11_2_00E91438
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D41424 11_2_00D41424
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00EDE9EE 11_2_00EDE9EE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00EDF9BA 11_2_00EDF9BA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D4DD20 11_2_00D4DD20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D5A699 11_2_00D5A699
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00DAF65C 11_2_00DAF65C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00F44BCE 11_2_00F44BCE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00EDE3B9 11_2_00EDE3B9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D420DD 13_2_00D420DD
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00DD50F2 13_2_00DD50F2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D42066 13_2_00D42066
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00EDE9EE 13_2_00EDE9EE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00EDF9BA 13_2_00EDF9BA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D47279 13_2_00D47279
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00F44BCE 13_2_00F44BCE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00EDE3B9 13_2_00EDE3B9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00E91438 13_2_00E91438
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D4E430 13_2_00D4E430
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D41424 13_2_00D41424
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D4DD20 13_2_00D4DD20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00DD7614 13_2_00DD7614
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: String function: 00E917B0 appears 150 times
PE file contains executable resources (Code or Archives)
Source: dhcpmon.exe.4.dr Static PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
PE file contains strange resources
Source: Payment_Confirmation pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Payment_Confirmation pdf.exe, 00000000.00000002.233292165.0000000002A01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPE.dll" vs Payment_Confirmation pdf.exe
Uses 32bit PE files
Source: Payment_Confirmation pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Payment_Confirmation pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Payment_Confirmation pdf.exe, hpCGGsxnBfkpZyTC.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Payment_Confirmation pdf.exe.590000.0.unpack, hpCGGsxnBfkpZyTC.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.Payment_Confirmation pdf.exe.590000.0.unpack, hpCGGsxnBfkpZyTC.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@21/12@0/1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00EB9F6C GetSystemDefaultLangID,FormatMessageW,_ultow_s,SysAllocString,GetLastError,SysFreeString,SysFreeString, 11_2_00EB9F6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Confirmation pdf.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{8b524be1-f4fe-4386-bd3a-d447c26466aa}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4604:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File created: C:\Users\user\AppData\Local\Temp\tmp863B.tmp Jump to behavior
Source: Payment_Confirmation pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dhcpmon.exe String found in binary or memory: </Stop>
Source: dhcpmon.exe String found in binary or memory: </Stop>
Source: dhcpmon.exe String found in binary or memory: </Stop>
Source: dhcpmon.exe String found in binary or memory: </Stop>
Source: unknown Process created: C:\Users\user\Desktop\Payment_Confirmation pdf.exe 'C:\Users\user\Desktop\Payment_Confirmation pdf.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8988.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 0
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8988.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Payment_Confirmation pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment_Confirmation pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: Accessibility.pdb source: vbc.exe, 00000009.00000003.246333764.0000000005245000.00000004.00000001.sdmp
Source: Binary string: RunPE.pdb source: Payment_Confirmation pdf.exe, 00000000.00000002.233292165.0000000002A01000.00000004.00000001.sdmp
Source: Binary string: vbc.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source: Binary string: Accessibility.pdbBSJB source: vbc.exe, 00000009.00000003.246333764.0000000005245000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D43560 push eax; iretd 11_2_00D43581
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D42AC8 push A80020C3h; ret 11_2_00D42ACD
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D42B08 push B80020CAh; retf 0020h 11_2_00D42B29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00D42B30 push B80020CAh; retf 0020h 11_2_00D42B29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D42AC8 push A80020C3h; ret 13_2_00D42ACD
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D42B08 push B80020CAh; retf 0020h 13_2_00D42B29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D42B30 push B80020CAh; retf 0020h 13_2_00D42B29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00D43560 push eax; iretd 13_2_00D43581
Source: initial sample Static PE information: section name: .text entropy: 7.99650215148

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Window / User API: threadDelayed 5145 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Window / User API: threadDelayed 4380 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Window / User API: foregroundWindowGot 565 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Window / User API: foregroundWindowGot 762 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe TID: 4472 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 204 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00DBD5B1 FindFirstFileW,WideCharToMultiByte,FindFirstFileA, 11_2_00DBD5B1
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00F44FA1 IsDebuggerPresent,_crt_debugger_hook,__crtUnhandledException,_crt_debugger_hook,__crtTerminateProcess, 11_2_00F44FA1
Enables debug privileges
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 420000 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 51A1008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8988.tmp' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Queries volume information: C:\Users\user\Desktop\Payment_Confirmation pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00DCFAFA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 11_2_00DCFAFA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00DBCB89 GetVersionExA, 11_2_00DBCB89
Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Payment_Confirmation pdf.exe, 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: vbc.exe, 00000004.00000003.262074990.000000000A8CE000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00DB7B2A CorBindToCurrentRuntime, 11_2_00DB7B2A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00DB7B2A CorBindToCurrentRuntime, 13_2_00DB7B2A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337596 Sample: Payment_Confirmation   pdf.exe Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 7 other signatures 2->59 8 Payment_Confirmation   pdf.exe 3 2->8         started        12 vbc.exe 1 2->12         started        14 dhcpmon.exe 1 2->14         started        16 dhcpmon.exe 1 2->16         started        process3 file4 49 C:\...\Payment_Confirmation   pdf.exe.log, ASCII 8->49 dropped 63 Writes to foreign memory regions 8->63 65 Allocates memory in foreign processes 8->65 67 Injects a PE file into a foreign processes 8->67 18 vbc.exe 1 14 8->18         started        23 vbc.exe 8->23         started        25 vbc.exe 8->25         started        27 vbc.exe 8->27         started        29 conhost.exe 12->29         started        31 conhost.exe 14->31         started        33 conhost.exe 16->33         started        signatures5 process6 dnsIp7 51 185.244.38.210, 49724, 49726, 49733 ASN-QUADRANET-GLOBALUS Netherlands 18->51 43 C:\Users\user\AppData\Roaming\...\run.dat, data 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp863B.tmp, XML 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 35 schtasks.exe 1 18->35         started        37 schtasks.exe 1 18->37         started        file8 signatures9 process10 process11 39 conhost.exe 35->39         started        41 conhost.exe 37->41         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.244.38.210
 unknown Netherlands
8100 ASN-QUADRANET-GLOBALUS false