Play interactive tour

Edit tour

Analysis Report parcel_images.exe

Overview

General Information

Sample Name:	parcel_images.exe
Analysis ID:	339033
MD5:	5f8a97a2c2b464c360a3628c73b88103
SHA1:	134af6300df733356a3bd6dbe94f42dbfd2f31d8
SHA256:	74995e87513e47357c351f37565a1422202dace38dc789308d72417b5797b93e
Tags:	exeNanoCoreRATUPS
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

parcel_images.exe (PID: 6068 cmdline: 'C:\Users\user\Desktop\parcel_images.exe' MD5: 5F8A97A2C2B464C360A3628C73B88103)

schtasks.exe (PID: 5664 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5420 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 1928 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 576 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5268 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5960 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x14c9d:$x1: NanoCore.ClientPluginHost 0x14cda:$x2: IClientNetworkHost 0x1880d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14a05:$a: NanoCore 0x14a15:$a: NanoCore 0x14c49:$a: NanoCore 0x14c5d:$a: NanoCore 0x14c9d:$a: NanoCore 0x14a64:$b: ClientPlugin 0x14c66:$b: ClientPlugin 0x14ca6:$b: ClientPlugin 0x14b8b:$c: ProjectData 0x15592:$d: DESCrypto 0x1cf5e:$e: KeepAlive 0x1af4c:$g: LogClientMessage 0x17147:$i: get_Connected 0x158c8:$j: #=q 0x158f8:$j: #=q 0x15914:$j: #=q 0x15944:$j: #=q 0x15960:$j: #=q 0x1597c:$j: #=q 0x159ac:$j: #=q 0x159c8:$j: #=q
00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x17af5:$a: NanoCore 0x17b4e:$a: NanoCore 0x17b8b:$a: NanoCore 0x17c04:$a: NanoCore 0x1d199:$a: NanoCore 0x1d1e3:$a: NanoCore 0x1d3cd:$a: NanoCore 0x30cec:$a: NanoCore 0x30d01:$a: NanoCore 0x30d36:$a: NanoCore 0x49cd3:$a: NanoCore 0x49ce8:$a: NanoCore 0x49d1d:$a: NanoCore 0x17b57:$b: ClientPlugin 0x17b94:$b: ClientPlugin 0x18492:$b: ClientPlugin 0x1849f:$b: ClientPlugin 0x1cf32:$b: ClientPlugin 0x1d1a2:$b: ClientPlugin 0x1d1ec:$b: ClientPlugin 0x30aa8:$b: ClientPlugin
00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1bdefd:$x1: NanoCore.ClientPluginHost 0x1bdf3a:$x2: IClientNetworkHost 0x1c1a6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bdc65:$a: NanoCore 0x1bdc75:$a: NanoCore 0x1bdea9:$a: NanoCore 0x1bdebd:$a: NanoCore 0x1bdefd:$a: NanoCore 0x1bdcc4:$b: ClientPlugin 0x1bdec6:$b: ClientPlugin 0x1bdf06:$b: ClientPlugin 0x10d375:$c: ProjectData 0x1bddeb:$c: ProjectData 0x10de13:$d: DESCrypto 0x1be7f2:$d: DESCrypto 0x1c61be:$e: KeepAlive 0x1c41ac:$g: LogClientMessage 0x1c03a7:$i: get_Connected 0x1beb28:$j: #=q 0x1beb58:$j: #=q 0x1beb74:$j: #=q 0x1beba4:$j: #=q 0x1bebc0:$j: #=q 0x1bebdc:$j: #=q
00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: RegSvcs.exe PID: 5420	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x98286:$x1: NanoCore.ClientPluginHost 0x1bb9c3:$x1: NanoCore.ClientPluginHost 0x1fb71c:$x1: NanoCore.ClientPluginHost 0x1fdd97:$x1: NanoCore.ClientPluginHost 0x2039c4:$x1: NanoCore.ClientPluginHost 0x214d68:$x1: NanoCore.ClientPluginHost 0x28030c:$x1: NanoCore.ClientPluginHost 0x29f699:$x1: NanoCore.ClientPluginHost 0x39359c:$x1: NanoCore.ClientPluginHost 0x395c38:$x1: NanoCore.ClientPluginHost 0x982ac:$x2: IClientNetworkHost 0x1bba08:$x2: IClientNetworkHost 0x1fb742:$x2: IClientNetworkHost 0x203a09:$x2: IClientNetworkHost 0x214dad:$x2: IClientNetworkHost 0x28036d:$x2: IClientNetworkHost 0x3935c2:$x2: IClientNetworkHost 0x285772:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2936e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 5420	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5420	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x98178:$a: NanoCore 0x98219:$a: NanoCore 0x98286:$a: NanoCore 0x98347:$a: NanoCore 0x99218:$a: NanoCore 0x9926b:$a: NanoCore 0x992a4:$a: NanoCore 0x99317:$a: NanoCore 0x1bb93d:$a: NanoCore 0x1bb96a:$a: NanoCore 0x1bb9c3:$a: NanoCore 0x1c31d2:$a: NanoCore 0x1c31e5:$a: NanoCore 0x1c3217:$a: NanoCore 0x1fb60e:$a: NanoCore 0x1fb6af:$a: NanoCore 0x1fb71c:$a: NanoCore 0x1fb7dd:$a: NanoCore 0x1fc6ae:$a: NanoCore 0x1fc701:$a: NanoCore 0x1fc73a:$a: NanoCore
Process Memory Space: parcel_images.exe PID: 6068	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41971e:$x1: NanoCore.ClientPluginHost 0x41977f:$x2: IClientNetworkHost 0x41eb84:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x42caf6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: parcel_images.exe PID: 6068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: parcel_images.exe PID: 6068	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: parcel_images.exe PID: 6068	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x419223:$a: NanoCore 0x41923f:$a: NanoCore 0x41939a:$a: NanoCore 0x4193a9:$a: NanoCore 0x419682:$a: NanoCore 0x4196ae:$a: NanoCore 0x41971e:$a: NanoCore 0x429160:$a: NanoCore 0x429172:$a: NanoCore 0x4291ae:$a: NanoCore 0x4192ca:$b: ClientPlugin 0x4193f3:$b: ClientPlugin 0x4196b7:$b: ClientPlugin 0x419727:$b: ClientPlugin 0x42917b:$b: ClientPlugin 0x4291b7:$b: ClientPlugin 0x419540:$c: ProjectData 0x4290ad:$c: ProjectData 0x75345c:$c: ProjectData 0x7558c6:$c: ProjectData 0x41a67c:$d: DESCrypto
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.5ca0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
4.2.RegSvcs.exe.5ca0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5b00000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5b00000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.RegSvcs.exe.5cb0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5cb0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5cb0000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.5cb0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5cb0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5cb0000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 9 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5420, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\parcel_images.exe' , ParentImage: C:\Users\user\Desktop\parcel_images.exe, ParentProcessId: 6068, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', ProcessId: 5664

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: parcel_images.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Avira: detection malicious, Label: HEUR/AGEN.1120329

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Show sources

Source: parcel_images.exe	Virustotal: Detection: 47%			Perma Link
Source: parcel_images.exe	ReversingLabs: Detection: 31%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: parcel_images.exe

Joe Sandbox ML: detected

Source: 4.2.RegSvcs.exe.5cb0000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 4.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack

Source: parcel_images.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: parcel_images.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source:	Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4x nop then mov esp, ebp

4_2_0349865F

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: cldgr.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.3:49713 -> 69.61.59.215:60003

Source: Joe Sandbox View

ASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS

Source: unknown

DNS traffic detected: queries for: cldgr.duckdns.org

Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: parcel_images.exe, 00000000.00000003.222434128.000000000506D000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221895972.0000000005068000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFP
Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coml1
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comh
Source: parcel_images.exe, 00000000.00000003.216665590.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.c
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/e
Source: parcel_images.exe, 00000000.00000003.218064819.000000000509D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-n
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp, parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.compe
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krC
Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krlearn
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: parcel_images.exe, 00000000.00000003.216945664.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comF
Source: parcel_images.exe, 00000000.00000003.216900726.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comw
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: RegSvcs.exe, 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: parcel_images.exe

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51D8E NtQuerySystemInformation,	0_2_04E51D8E
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51D54 NtQuerySystemInformation,	0_2_04E51D54
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A016DA NtQuerySystemInformation,	4_2_05A016DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A0169F NtQuerySystemInformation,	4_2_05A0169F

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01000C50	0_2_01000C50
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01001C53	0_2_01001C53
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010000F8	0_2_010000F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002B08	0_2_01002B08
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01001374	0_2_01001374
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0100454C	0_2_0100454C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01003800	0_2_01003800
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004848	0_2_01004848
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01000C4D	0_2_01000C4D
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004858	0_2_01004858
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004CA4	0_2_01004CA4
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004CA8	0_2_01004CA8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002B01	0_2_01002B01
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002F18	0_2_01002F18
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010037F8	0_2_010037F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004A55	0_2_01004A55
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004E55	0_2_01004E55
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004A58	0_2_01004A58
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004291	0_2_01004291
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004298	0_2_01004298
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002AA5	0_2_01002AA5
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681208C	0_2_0681208C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810D90	0_2_06810D90
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810530	0_2_06810530
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681AC65	0_2_0681AC65
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810D82	0_2_06810D82
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_068105F0	0_2_068105F0
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8CC20	0_2_06F8CC20
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8E120	0_2_06F8E120
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8C500	0_2_06F8C500
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8B0E8	0_2_06F8B0E8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8CEA8	0_2_06F8CEA8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8BC98	0_2_06F8BC98
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8DE78	0_2_06F8DE78
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8A250	0_2_06F8A250
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8A9F8	0_2_06F8A9F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8B728	0_2_06F8B728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01902477	4_2_01902477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01917ABE	4_2_01917ABE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03492FA8	4_2_03492FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034923A0	4_2_034923A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03498BB8	4_2_03498BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034997B8	4_2_034997B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03499ACB	4_2_03499ACB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03493850	4_2_03493850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349B488	4_2_0349B488
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034932BB	4_2_034932BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349306F	4_2_0349306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349A060	4_2_0349A060
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349987F	4_2_0349987F

Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST

Source: parcel_images.exe	Binary or memory string: OriginalFilename vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.240637309.0000000000517000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameG vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.245931889.0000000004E70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254894264.0000000007340000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.253585075.0000000006820000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs parcel_images.exe
Source: parcel_images.exe	Binary or memory string: OriginalFilenameG vs parcel_images.exe

Source: parcel_images.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: parcel_images.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/13@8/1

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51CBE AdjustTokenPrivileges,	0_2_04E51CBE
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51C87 AdjustTokenPrivileges,	0_2_04E51C87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A0149A AdjustTokenPrivileges,	4_2_05A0149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A01463 AdjustTokenPrivileges,	4_2_05A01463

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

File created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01
Source: C:\Users\user\Desktop\parcel_images.exe	Mutant created: \Sessions\1\BaseNamedObjects\btYicyWOySdNftvOgyOAHWI

Source: C:\Users\user\Desktop\parcel_images.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2412.tmp

Jump to behavior

Source: parcel_images.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: parcel_images.exe	Virustotal: Detection: 47%
Source: parcel_images.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\parcel_images.exe

File read: C:\Users\user\Desktop\parcel_images.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\parcel_images.exe 'C:\Users\user\Desktop\parcel_images.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: parcel_images.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: parcel_images.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: parcel_images.exe

Static file information: File size 1350144 > 1048576

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: parcel_images.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10ee00

Source: parcel_images.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source:	Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_003D4419 push es; retf	0_2_003D441C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0100054B pushfd ; retf	0_2_0100054D
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01007581 push esp; retf	0_2_01007582
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01007589 push esp; retf	0_2_0100758A
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010075B8 push ebp; retf	0_2_010075BA
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010075C1 push ebp; retf	0_2_010075C2
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01008C49 push BAFFFFFEh; retn 0001h	0_2_01008C4E
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01008CAE push eax; iretd	0_2_01008CB1
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010037F0 pushad ; retf	0_2_010037F1
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681AE4B push es; iretd	0_2_0681AE4C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06814060 push es; retf	0_2_06814070
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8355F push ebx; retf	0_2_06F83560
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F83D52 pushad ; ret	0_2_06F83D53
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_019174B8 push ebp; ret	4_2_019174B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_019174AC push ecx; ret	4_2_019174AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01919D78 pushad ; retf	4_2_01919D79

Source: initial sample	Static PE information: section name: .text entropy: 7.47102153037
Source: initial sample	Static PE information: section name: .text entropy: 7.47102153037

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\parcel_images.exe	File created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report parcel_images.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection: