Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Payment_Confirmation pdf.exe

Overview

General Information

Sample Name:Payment_Confirmation pdf.exe
Analysis ID:337596
MD5:767f88a961bfbc1b8f8419a32fbade0b
SHA1:5577d0635fca390c305ff560ca80a6ea19ff7c5b
SHA256:4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b
Tags:exe

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
Allocates memory in foreign processes
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment_Confirmation pdf.exe (PID: 2800 cmdline: 'C:\Users\user\Desktop\Payment_Confirmation pdf.exe' MD5: 767F88A961BFBC1B8F8419A32FBADE0B)
    • vbc.exe (PID: 5332 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 5952 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 1516 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 5352 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
      • schtasks.exe (PID: 4660 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2172 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8988.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • vbc.exe (PID: 3996 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 0 MD5: B3A917344F5610BEEC562556F11300FA)
    • conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5836 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: B3A917344F5610BEEC562556F11300FA)
    • conhost.exe (PID: 4604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 1000 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: B3A917344F5610BEEC562556F11300FA)
    • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x472ed:$x1: NanoCore.ClientPluginHost
  • 0x79f1d:$x1: NanoCore.ClientPluginHost
  • 0xac93d:$x1: NanoCore.ClientPluginHost
  • 0x4732a:$x2: IClientNetworkHost
  • 0x79f5a:$x2: IClientNetworkHost
  • 0xac97a:$x2: IClientNetworkHost
  • 0x4ae5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x7da8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xb04ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x47055:$a: NanoCore
    • 0x47065:$a: NanoCore
    • 0x47299:$a: NanoCore
    • 0x472ad:$a: NanoCore
    • 0x472ed:$a: NanoCore
    • 0x79c85:$a: NanoCore
    • 0x79c95:$a: NanoCore
    • 0x79ec9:$a: NanoCore
    • 0x79edd:$a: NanoCore
    • 0x79f1d:$a: NanoCore
    • 0xac6a5:$a: NanoCore
    • 0xac6b5:$a: NanoCore
    • 0xac8e9:$a: NanoCore
    • 0xac8fd:$a: NanoCore
    • 0xac93d:$a: NanoCore
    • 0x470b4:$b: ClientPlugin
    • 0x472b6:$b: ClientPlugin
    • 0x472f6:$b: ClientPlugin
    • 0x79ce4:$b: ClientPlugin
    • 0x79ee6:$b: ClientPlugin
    • 0x79f26:$b: ClientPlugin
    Process Memory Space: Payment_Confirmation pdf.exe PID: 2800Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x131d1:$x1: NanoCore.ClientPluginHost
    • 0x31b3f:$x1: NanoCore.ClientPluginHost
    • 0x50410:$x1: NanoCore.ClientPluginHost
    • 0x13232:$x2: IClientNetworkHost
    • 0x31ba0:$x2: IClientNetworkHost
    • 0x50471:$x2: IClientNetworkHost
    • 0x18637:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x265a9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x36fa5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x44f17:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x55876:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x637e8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Process Memory Space: Payment_Confirmation pdf.exe PID: 2800JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 1 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ProcessId: 5352, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ParentProcessId: 5352, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp', ProcessId: 4660

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Payment_Confirmation pdf.exeAvira: detected
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: Payment_Confirmation pdf.exeJoe Sandbox ML: detected
      Source: 0.2.Payment_Confirmation pdf.exe.590000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
      Source: 0.0.Payment_Confirmation pdf.exe.590000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
      Source: Payment_Confirmation pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Payment_Confirmation pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: Accessibility.pdb source: vbc.exe, 00000009.00000003.246333764.0000000005245000.00000004.00000001.sdmp
      Source: Binary string: RunPE.pdb source: Payment_Confirmation pdf.exe, 00000000.00000002.233292165.0000000002A01000.00000004.00000001.sdmp
      Source: Binary string: vbc.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
      Source: Binary string: Accessibility.pdbBSJB source: vbc.exe, 00000009.00000003.246333764.0000000005245000.00000004.00000001.sdmp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00DBD5B1 FindFirstFileW,WideCharToMultiByte,FindFirstFileA,11_2_00DBD5B1
      Source: global trafficTCP traffic: 192.168.2.7:49724 -> 185.244.38.210:7008
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
      Source: dhcpmon.exe, 0000000D.00000002.263266383.0000000000BAA000.00000004.00000010.sdmpString found in binary or memory: http://go.microsoft

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Payment_Confirmation pdf.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Payment_Confirmation pdf.exe
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeCode function: 0_2_00F468780_2_00F46878
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeCode function: 0_2_00F418200_2_00F41820
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeCode function: 0_2_00F418110_2_00F41811
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeCode function: 0_2_00F415C00_2_00F415C0
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeCode function: 0_2_00F415B10_2_00F415B1
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeCode function: 0_2_00F406820_2_00F40682
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D420DD11_2_00D420DD
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D4206611_2_00D42066
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00E9143811_2_00E91438
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D4142411_2_00D41424
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00EDE9EE11_2_00EDE9EE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00EDF9BA11_2_00EDF9BA
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D4DD2011_2_00D4DD20
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D5A69911_2_00D5A699
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00DAF65C11_2_00DAF65C
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00F44BCE11_2_00F44BCE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00EDE3B911_2_00EDE3B9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D420DD13_2_00D420DD
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00DD50F213_2_00DD50F2
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D4206613_2_00D42066
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00EDE9EE13_2_00EDE9EE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00EDF9BA13_2_00EDF9BA
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D4727913_2_00D47279
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00F44BCE13_2_00F44BCE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00EDE3B913_2_00EDE3B9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00E9143813_2_00E91438
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D4E43013_2_00D4E430
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D4142413_2_00D41424
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D4DD2013_2_00D4DD20
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00DD761413_2_00DD7614
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00E917B0 appears 150 times
      Source: dhcpmon.exe.4.drStatic PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
      Source: Payment_Confirmation pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Payment_Confirmation pdf.exe, 00000000.00000002.233292165.0000000002A01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Payment_Confirmation pdf.exe
      Source: Payment_Confirmation pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.233380857.0000000003A01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Payment_Confirmation pdf.exe PID: 2800, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Payment_Confirmation pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: Payment_Confirmation pdf.exe, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.2.Payment_Confirmation pdf.exe.590000.0.unpack, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.0.Payment_Confirmation pdf.exe.590000.0.unpack, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@21/12@0/1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00EB9F6C GetSystemDefaultLangID,FormatMessageW,_ultow_s,SysAllocString,GetLastError,SysFreeString,SysFreeString,11_2_00EB9F6C
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Confirmation pdf.exe.logJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8b524be1-f4fe-4386-bd3a-d447c26466aa}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4604:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\tmp863B.tmpJump to behavior
      Source: Payment_Confirmation pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: dhcpmon.exeString found in binary or memory: </Stop>
      Source: dhcpmon.exeString found in binary or memory: </Stop>
      Source: dhcpmon.exeString found in binary or memory: </Stop>
      Source: dhcpmon.exeString found in binary or memory: </Stop>
      Source: unknownProcess created: C:\Users\user\Desktop\Payment_Confirmation pdf.exe 'C:\Users\user\Desktop\Payment_Confirmation pdf.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8988.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8988.tmp'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Payment_Confirmation pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Payment_Confirmation pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: Accessibility.pdb source: vbc.exe, 00000009.00000003.246333764.0000000005245000.00000004.00000001.sdmp
      Source: Binary string: RunPE.pdb source: Payment_Confirmation pdf.exe, 00000000.00000002.233292165.0000000002A01000.00000004.00000001.sdmp
      Source: Binary string: vbc.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
      Source: Binary string: Accessibility.pdbBSJB source: vbc.exe, 00000009.00000003.246333764.0000000005245000.00000004.00000001.sdmp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D43560 push eax; iretd 11_2_00D43581
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D42AC8 push A80020C3h; ret 11_2_00D42ACD
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D42B08 push B80020CAh; retf 0020h11_2_00D42B29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00D42B30 push B80020CAh; retf 0020h11_2_00D42B29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D42AC8 push A80020C3h; ret 13_2_00D42ACD
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D42B08 push B80020CAh; retf 0020h13_2_00D42B29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D42B30 push B80020CAh; retf 0020h13_2_00D42B29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00D43560 push eax; iretd 13_2_00D43581
      Source: initial sampleStatic PE information: section name: .text entropy: 7.99650215148
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 5145Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 4380Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: foregroundWindowGot 565Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: foregroundWindowGot 762Jump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exe TID: 4472Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 204Thread sleep time: -13835058055282155s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00DBD5B1 FindFirstFileW,WideCharToMultiByte,FindFirstFileA,11_2_00DBD5B1
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00F44FA1 IsDebuggerPresent,_crt_debugger_hook,__crtUnhandledException,_crt_debugger_hook,__crtTerminateProcess,11_2_00F44FA1
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000Jump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 420000Jump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 422000Jump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 51A1008Jump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp863B.tmp'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8988.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeQueries volume information: C:\Users\user\Desktop\Payment_Confirmation pdf.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00DCFAFA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_00DCFAFA
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00DBCB89 GetVersionExA,11_2_00DBCB89
      Source: C:\Users\user\Desktop\Payment_Confirmation pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\Secur