Loading ...

Play interactive tourEdit tour

Analysis Report New Order 54380 pdf.exe

Overview

General Information

Sample Name:New Order 54380 pdf.exe
Analysis ID:338164
MD5:e7192b48a761bbc49da028723e08889c
SHA1:b4e6b76ebfe6b0497aa456c7cac2b31fe54d3b8c
SHA256:db51bcbfe40ce228cae597a42c2dd1906bc04fae69a1bbe75653f6feeb923e41
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New Order 54380 pdf.exe (PID: 6344 cmdline: 'C:\Users\user\Desktop\New Order 54380 pdf.exe' MD5: E7192B48A761BBC49DA028723E08889C)
    • a.exe (PID: 6740 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: E7192B48A761BBC49DA028723E08889C)
  • a.exe (PID: 6808 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: E7192B48A761BBC49DA028723E08889C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x43787:$x1: NanoCore.ClientPluginHost
  • 0x76347:$x1: NanoCore.ClientPluginHost
  • 0xa8ef7:$x1: NanoCore.ClientPluginHost
  • 0x437c4:$x2: IClientNetworkHost
  • 0x76384:$x2: IClientNetworkHost
  • 0xa8f34:$x2: IClientNetworkHost
  • 0x472f7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x79eb7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xaca67:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x434ef:$a: NanoCore
    • 0x434ff:$a: NanoCore
    • 0x43733:$a: NanoCore
    • 0x43747:$a: NanoCore
    • 0x43787:$a: NanoCore
    • 0x760af:$a: NanoCore
    • 0x760bf:$a: NanoCore
    • 0x762f3:$a: NanoCore
    • 0x76307:$a: NanoCore
    • 0x76347:$a: NanoCore
    • 0xa8c5f:$a: NanoCore
    • 0xa8c6f:$a: NanoCore
    • 0xa8ea3:$a: NanoCore
    • 0xa8eb7:$a: NanoCore
    • 0xa8ef7:$a: NanoCore
    • 0x4354e:$b: ClientPlugin
    • 0x43750:$b: ClientPlugin
    • 0x43790:$b: ClientPlugin
    • 0x7610e:$b: ClientPlugin
    • 0x76310:$b: ClientPlugin
    • 0x76350:$b: ClientPlugin
    00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10637:$x1: NanoCore.ClientPluginHost
    • 0x431e5:$x1: NanoCore.ClientPluginHost
    • 0x10674:$x2: IClientNetworkHost
    • 0x43222:$x2: IClientNetworkHost
    • 0x141a7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x46d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 4 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\a.exeVirustotal: Detection: 28%Perma Link
      Source: C:\Users\user\AppData\Roaming\a.exeReversingLabs: Detection: 17%
      Multi AV Scanner detection for submitted fileShow sources
      Source: New Order 54380 pdf.exeVirustotal: Detection: 28%Perma Link
      Source: New Order 54380 pdf.exeReversingLabs: Detection: 17%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY
      Source: New Order 54380 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: New Order 54380 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then jmp 010FEC06h0_2_010FE432
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_02D733A4
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_02D7D083
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov esp, ebp0_2_02D7C080
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_02D756B8
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_02D7A730
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_02D73E28
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_02D73E28
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_02D76227
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_02D73625
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_02D73AFD
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_02D73AFD
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_02D73B08
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_02D73B08
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_02D73E1D
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_02D73E1D
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then xor edx, edx0_2_02D73D54
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 4x nop then xor edx, edx0_2_02D73D60
      Source: New Order 54380 pdf.exe, 00000000.00000002.263249370.000000000110A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: New Order 54380 pdf.exe
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_008F2BC80_2_008F2BC8
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010FB2010_2_010FB201
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010F9AD00_2_010F9AD0
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010F3D780_2_010F3D78
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010F7D700_2_010F7D70
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010FE4320_2_010FE432
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010FEC300_2_010FEC30
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010F04480_2_010F0448
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010FCCC00_2_010FCCC0
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010F8FD90_2_010F8FD9
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010F36000_2_010F3600
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010FEC200_2_010FEC20
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_010F04380_2_010F0438
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_02D77E580_2_02D77E58
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_02D7AFE00_2_02D7AFE0
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_02D74F900_2_02D74F90
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_02D7BAF00_2_02D7BAF0
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_02D749CF0_2_02D749CF
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_02D749E00_2_02D749E0
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_02D7AFD00_2_02D7AFD0
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_02D74F830_2_02D74F83
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_00932BC83_2_00932BC8
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_02B69AD03_2_02B69AD0
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_02B6B2013_2_02B6B201
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_02B636003_2_02B63600
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_02B68FD93_2_02B68FD9
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_02B6CCC03_2_02B6CCC0
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_02B63C283_2_02B63C28
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_02B604483_2_02B60448
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_02B604383_2_02B60438
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_002C2BC84_2_002C2BC8
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00AC9AE04_2_00AC9AE0
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00ACB2104_2_00ACB210
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00ACCCD04_2_00ACCCD0
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00AC3C284_2_00AC3C28
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00AC04484_2_00AC0448
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00AC36004_2_00AC3600
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00AC8FE84_2_00AC8FE8
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00AC9AD04_2_00AC9AD0
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00ACB2014_2_00ACB201
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00ACCCC04_2_00ACCCC0
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00AC04384_2_00AC0438
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_00AC8FD94_2_00AC8FD9
      Source: New Order 54380 pdf.exeBinary or memory string: OriginalFilename vs New Order 54380 pdf.exe
      Source: New Order 54380 pdf.exe, 00000000.00000002.273771998.00000000056F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs New Order 54380 pdf.exe
      Source: New Order 54380 pdf.exe, 00000000.00000002.273771998.00000000056F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs New Order 54380 pdf.exe
      Source: New Order 54380 pdf.exe, 00000000.00000002.273142570.00000000055F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New Order 54380 pdf.exe
      Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs New Order 54380 pdf.exe
      Source: New Order 54380 pdf.exe, 00000000.00000002.270224796.0000000003DC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs New Order 54380 pdf.exe
      Source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs New Order 54380 pdf.exe
      Source: New Order 54380 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: classification engineClassification label: mal88.troj.evad.winEXE@4/6@0/0
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
      Source: New Order 54380 pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: New Order 54380 pdf.exeVirustotal: Detection: 28%
      Source: New Order 54380 pdf.exeReversingLabs: Detection: 17%
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile read: C:\Users\user\Desktop\New Order 54380 pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\New Order 54380 pdf.exe 'C:\Users\user\Desktop\New Order 54380 pdf.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: New Order 54380 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: New Order 54380 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: New Order 54380 pdf.exe, 00000000.00000002.274072304.000000000802E000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeCode function: 0_2_008F2BC8 push esi; retf 0_2_008F2DE5
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 3_2_00932BC8 push esi; retf 3_2_00932DE5
      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4_2_002C2BC8 push esi; retf 4_2_002C2DE5
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile created: \new order 54380 pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile created: C:\Users\user\AppData\Roaming\a.exeJump to dropped file
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile opened: C:\Users\user\Desktop\New Order 54380 pdf.exe\:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exe TID: 6512Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exe TID: 6524Thread sleep count: 169 > 30Jump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exe TID: 6376Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exe TID: 6800Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exe TID: 6872Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: vmware svga
      Source: New Order 54380 pdf.exe, 00000000.00000002.263322879.000000000113D000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
      Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: New Order 54380 pdf.exe, 00000000.00000002.270224796.0000000003DC1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.273451115.0000000003D91000.00000004.00000001.sdmp, a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
      Source: New Order 54380 pdf.exe, 00000000.00000002.270224796.0000000003DC1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.273451115.0000000003D91000.00000004.00000001.sdmp, a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
      Source: New Order 54380 pdf.exe, 00000000.00000002.270224796.0000000003DC1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.273451115.0000000003D91000.00000004.00000001.sdmp, a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: vmusrvc
      Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: vmsrvc
      Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: vmtools
      Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
      Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
      Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: a.exe, 00000004.00000002.273390890.0000000003671000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
      Source: New Order 54380 pdf.exe, 00000000.00000002.274148090.0000000008170000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeQueries volume information: C:\Users\user\Desktop\New Order 54380 pdf.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order 54380 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: New Order 54380 pdf.exe, 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.270686743.0000000004744000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.270957926.0000000004842000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New Order 54380 pdf.exe PID: 6344, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationStartup Items1Startup Items1Masquerading1Input Capture1Security Software Discovery111Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder2Process Injection11Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder2Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.