Analysis Report New Order 54380 pdf.exe

Overview

General Information

Sample Name: New Order 54380 pdf.exe
Analysis ID: 338164
MD5: e7192b48a761bbc49da028723e08889c
SHA1: b4e6b76ebfe6b0497aa456c7cac2b31fe54d3b8c
SHA256: db51bcbfe40ce228cae597a42c2dd1906bc04fae69a1bbe75653f6feeb923e41
Tags: exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\a.exe Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Roaming\a.exe ReversingLabs: Detection: 17%
Multi AV Scanner detection for submitted file
Source: New Order 54380 pdf.exe Virustotal: Detection: 28% Perma Link
Source: New Order 54380 pdf.exe ReversingLabs: Detection: 17%
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: New Order 54380 pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: New Order 54380 pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then jmp 010FEC06h 0_2_010FE432
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02D733A4
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_02D7D083
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov esp, ebp 0_2_02D7C080
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02D756B8
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_02D7A730
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_02D73E28
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02D73E28
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02D76227
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02D73625
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_02D73AFD
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02D73AFD
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_02D73B08
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02D73B08
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_02D73E1D
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02D73E1D
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then xor edx, edx 0_2_02D73D54
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 4x nop then xor edx, edx 0_2_02D73D60

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: New Order 54380 pdf.exe, 00000000.00000002.263249370.000000000110A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New Order 54380 pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_008F2BC8 0_2_008F2BC8
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010FB201 0_2_010FB201
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010F9AD0 0_2_010F9AD0
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010F3D78 0_2_010F3D78
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010F7D70 0_2_010F7D70
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010FE432 0_2_010FE432
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010FEC30 0_2_010FEC30
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010F0448 0_2_010F0448
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010FCCC0 0_2_010FCCC0
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010F8FD9 0_2_010F8FD9
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010F3600 0_2_010F3600
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010FEC20 0_2_010FEC20
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_010F0438 0_2_010F0438
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_02D77E58 0_2_02D77E58
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_02D7AFE0 0_2_02D7AFE0
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_02D74F90 0_2_02D74F90
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_02D7BAF0 0_2_02D7BAF0
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_02D749CF 0_2_02D749CF
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_02D749E0 0_2_02D749E0
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_02D7AFD0 0_2_02D7AFD0
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_02D74F83 0_2_02D74F83
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00932BC8 3_2_00932BC8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_02B69AD0 3_2_02B69AD0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_02B6B201 3_2_02B6B201
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_02B63600 3_2_02B63600
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_02B68FD9 3_2_02B68FD9
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_02B6CCC0 3_2_02B6CCC0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_02B63C28 3_2_02B63C28
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_02B60448 3_2_02B60448
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_02B60438 3_2_02B60438
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_002C2BC8 4_2_002C2BC8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00AC9AE0 4_2_00AC9AE0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00ACB210 4_2_00ACB210
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00ACCCD0 4_2_00ACCCD0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00AC3C28 4_2_00AC3C28
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00AC0448 4_2_00AC0448
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00AC3600 4_2_00AC3600
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00AC8FE8 4_2_00AC8FE8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00AC9AD0 4_2_00AC9AD0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00ACB201 4_2_00ACB201
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00ACCCC0 4_2_00ACCCC0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00AC0438 4_2_00AC0438
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_00AC8FD9 4_2_00AC8FD9
Sample file is different than original file name gathered from version info
Source: New Order 54380 pdf.exe Binary or memory string: OriginalFilename vs New Order 54380 pdf.exe
Source: New Order 54380 pdf.exe, 00000000.00000002.273771998.00000000056F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs New Order 54380 pdf.exe
Source: New Order 54380 pdf.exe, 00000000.00000002.273771998.00000000056F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs New Order 54380 pdf.exe
Source: New Order 54380 pdf.exe, 00000000.00000002.273142570.00000000055F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs New Order 54380 pdf.exe
Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs New Order 54380 pdf.exe
Source: New Order 54380 pdf.exe, 00000000.00000002.270224796.0000000003DC1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs New Order 54380 pdf.exe
Source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInstallUtil.exeT vs New Order 54380 pdf.exe
Uses 32bit PE files
Source: New Order 54380 pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal88.troj.evad.winEXE@4/6@0/0
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: New Order 54380 pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: New Order 54380 pdf.exe Virustotal: Detection: 28%
Source: New Order 54380 pdf.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File read: C:\Users\user\Desktop\New Order 54380 pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New Order 54380 pdf.exe 'C:\Users\user\Desktop\New Order 54380 pdf.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: New Order 54380 pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New Order 54380 pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Code function: 0_2_008F2BC8 push esi; retf 0_2_008F2DE5
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00932BC8 push esi; retf 3_2_00932DE5
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4_2_002C2BC8 push esi; retf 4_2_002C2DE5

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File created: \new order 54380 pdf.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File created: C:\Users\user\AppData\Roaming\a.exe Jump to dropped file
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File opened: C:\Users\user\Desktop\New Order 54380 pdf.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe TID: 6512 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe TID: 6524 Thread sleep count: 169 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe TID: 6376 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6800 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6872 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: VMware
Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: New Order 54380 pdf.exe, 00000000.00000002.263322879.000000000113D000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: vmware
Source: New Order 54380 pdf.exe, 00000000.00000002.270224796.0000000003DC1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.273451115.0000000003D91000.00000004.00000001.sdmp, a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: New Order 54380 pdf.exe, 00000000.00000002.270224796.0000000003DC1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.273451115.0000000003D91000.00000004.00000001.sdmp, a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: New Order 54380 pdf.exe, 00000000.00000002.270224796.0000000003DC1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.273451115.0000000003D91000.00000004.00000001.sdmp, a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Queries volume information: C:\Users\user\Desktop\New Order 54380 pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 54380 pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: New Order 54380 pdf.exe, 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338164 Sample: New Order   54380   pdf.exe Startdate: 11/01/2021 Architecture: WINDOWS Score: 88 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Detected Nanocore Rat 2->25 27 2 other signatures 2->27 6 New Order   54380   pdf.exe 6 2->6         started        10 a.exe 2->10         started        process3 file4 15 C:\Users\user\AppData\Roaming\a.exe, PE32 6->15 dropped 17 C:\Users\...17ew Order   54380   pdf.exe.log, ASCII 6->17 dropped 19 C:\Users\user\AppData\...\InstallUtil.exe, PE32 6->19 dropped 29 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->29 12 a.exe 1 6->12         started        signatures5 process6 signatures7 31 Multi AV Scanner detection for dropped file 12->31
No contacted IP infos