Analysis Report DINTEC PO.exe

Overview

General Information

Sample Name: DINTEC PO.exe
Analysis ID: 339185
MD5: f1d00b68162820d29eb884a91b9e6a09
SHA1: 406621cc2e30d19645513296fe1c5f50dd6c3848
SHA256: 29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891
Tags: exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Uses dynamic DNS services
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6896, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: DINTEC PO.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DINTEC PO.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: System.pdbM source: InstallUtil.exe, 00000004.00000003.904681464.0000000001078000.00000004.00000001.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.749350988.00000000008A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.4.dr
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then jmp 0146EB76h 0_2_0146E3A0
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov esp, ebp 0_2_01468DC0
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov esp, ebp 0_2_01468DB1
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_055BD1EA
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_055BA5B8
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_055B5410
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_055B60EC
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_055B4095
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_055B4095
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_055B40A0
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_055B40A0
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_055B533C
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_055B32C0
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_055B3D75
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_055B3D75
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov esp, ebp 0_2_055BBDD8
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_055B3D80
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_055B3D80
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then xor edx, edx 0_2_055B3FD8
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then xor edx, edx 0_2_055B3FCC
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_055B389D
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then jmp 024AEB76h 2_2_024AE3A0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then mov esp, ebp 2_2_024A8DC0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then mov esp, ebp 2_2_024A8DB1
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then mov esp, ebp 5_2_02608DC0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then mov esp, ebp 5_2_02608DB1

Networking:

barindex
Uses dynamic DNS services
Source: unknown DNS query: name: mnvh54254.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49741 -> 95.181.155.123:6653
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MSKHOSTRU MSKHOSTRU
Source: unknown DNS traffic detected: queries for: mnvh54254.ddns.net
Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: DINTEC PO.exe, 00000000.00000003.714561873.0000000001729000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1048821973.0000000000BD9000.00000004.00000040.sdmp String found in binary or memory: http://iptc.tc4xmp
Source: DINTEC PO.exe, 00000000.00000003.714561873.0000000001729000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/Ident

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6896, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 6676, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: a.exe PID: 6896, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: a.exe PID: 6896, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B583838 CreateProcessAsUserW, 2_2_0B583838
Detected potential crypto function
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_0146B170 0_2_0146B170
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_0146E3A0 0_2_0146E3A0
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_01460448 0_2_01460448
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_014634F8 0_2_014634F8
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_0146EBA0 0_2_0146EBA0
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_01469A3F 0_2_01469A3F
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_01466D38 0_2_01466D38
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_01463C60 0_2_01463C60
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_0146CC30 0_2_0146CC30
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_01468F4A 0_2_01468F4A
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_01460441 0_2_01460441
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_0146F648 0_2_0146F648
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_0146EB90 0_2_0146EB90
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_055BAD38 0_2_055BAD38
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_055BAD2A 0_2_055BAD2A
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_055B4DFA 0_2_055B4DFA
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_055B4E08 0_2_055B4E08
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_055B4858 0_2_055B4858
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_055BB849 0_2_055BB849
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_055B4847 0_2_055B4847
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024A9A3F 2_2_024A9A3F
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024AEBA0 2_2_024AEBA0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024AE3A0 2_2_024AE3A0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024AB170 2_2_024AB170
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024A8F4B 2_2_024A8F4B
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024A0448 2_2_024A0448
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024A6C10 2_2_024A6C10
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024ACC30 2_2_024ACC30
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024A34F8 2_2_024A34F8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024AEB90 2_2_024AEB90
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024AF648 2_2_024AF648
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_024A0438 2_2_024A0438
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B580770 2_2_0B580770
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B584E78 2_2_0B584E78
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B582618 2_2_0B582618
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B580040 2_2_0B580040
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B580760 2_2_0B580760
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B584E69 2_2_0B584E69
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B582607 2_2_0B582607
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B585A98 2_2_0B585A98
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B581D50 2_2_0B581D50
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B581D3F 2_2_0B581D3F
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B583D20 2_2_0B583D20
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B580006 2_2_0B580006
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B5818D8 2_2_0B5818D8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B5818C9 2_2_0B5818C9
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_0B5830A0 2_2_0B5830A0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_02609A42 5_2_02609A42
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_0260B170 5_2_0260B170
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_02608F57 5_2_02608F57
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_02603C61 5_2_02603C61
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_02600448 5_2_02600448
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_0260CC3F 5_2_0260CC3F
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_026034F8 5_2_026034F8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_0260B181 5_2_0260B181
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_02600438 5_2_02600438
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_008A20B0 11_2_008A20B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_010F07D8 11_2_010F07D8
Sample file is different than original file name gathered from version info
Source: DINTEC PO.exe Binary or memory string: OriginalFilename vs DINTEC PO.exe
Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs DINTEC PO.exe
Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs DINTEC PO.exe
Source: DINTEC PO.exe, 00000000.00000002.721423524.0000000008415000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePO ALCA.exeH vs DINTEC PO.exe
Source: DINTEC PO.exe, 00000000.00000002.722399909.0000000008FF0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs DINTEC PO.exe
Source: DINTEC PO.exe, 00000000.00000002.722399909.0000000008FF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs DINTEC PO.exe
Source: DINTEC PO.exe, 00000000.00000002.722132752.0000000008EF0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs DINTEC PO.exe
Source: DINTEC PO.exe, 00000000.00000002.720559556.0000000005660000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs DINTEC PO.exe
Source: DINTEC PO.exe Binary or memory string: OriginalFilenamePO ALCA.exeH vs DINTEC PO.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\DINTEC PO.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Uses 32bit PE files
Source: DINTEC PO.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 6676, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: a.exe PID: 6896, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: a.exe PID: 6896, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/13@2/1
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{ffdfcbd2-3989-4236-a47d-b9533fb19ad2}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
Source: C:\Users\user\Desktop\DINTEC PO.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: DINTEC PO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DINTEC PO.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe File read: C:\Users\user\Desktop\DINTEC PO.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DINTEC PO.exe 'C:\Users\user\Desktop\DINTEC PO.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DINTEC PO.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DINTEC PO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DINTEC PO.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: System.pdbM source: InstallUtil.exe, 00000004.00000003.904681464.0000000001078000.00000004.00000001.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.749350988.00000000008A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.4.dr
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DINTEC PO.exe Code function: 0_2_055BD340 pushfd ; ret 0_2_055BD349
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_02606976 push 0000003Bh; ret 5_2_0260697D
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 5_2_0260694A push 0000003Bh; ret 5_2_0260694F

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DINTEC PO.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\Desktop\DINTEC PO.exe File created: C:\Users\user\AppData\Roaming\a.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\DINTEC PO.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\DINTEC PO.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DINTEC PO.exe File opened: C:\Users\user\Desktop\DINTEC PO.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File opened: C:\Users\user\AppData\Roaming\a.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DINTEC PO.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\DINTEC PO.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DINTEC PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 3849 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 5664 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: foregroundWindowGot 701 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: foregroundWindowGot 626 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6724 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6736 Thread sleep count: 196 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6544 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6992 Thread sleep count: 261 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6992 Thread sleep time: -261000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 1444 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 1444 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 5712 Thread sleep count: 349 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 5712 Thread sleep time: -349000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3976 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6384 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6752 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\a.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\a.exe Last function: Thread delayed
Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: VMware
Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: vmware
Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1049116423.00000000026A0000.00000004.00000001.sdmp, a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1049116423.00000000026A0000.00000004.00000001.sdmp, a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1049116423.00000000026A0000.00000004.00000001.sdmp, a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\DINTEC PO.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\DINTEC PO.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\a.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: B76008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DINTEC PO.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: a.exe, 00000002.00000002.1048857023.0000000000F70000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: a.exe, 00000002.00000002.1048857023.0000000000F70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: a.exe, 00000002.00000002.1048857023.0000000000F70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: a.exe, 00000002.00000002.1048857023.0000000000F70000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DINTEC PO.exe Queries volume information: C:\Users\user\Desktop\DINTEC PO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DINTEC PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6896, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: DINTEC PO.exe, 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: a.exe, 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Yara detected Nanocore RAT
Source: Yara match File source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6896, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339185 Sample: DINTEC PO.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Sigma detected: NanoCore 2->36 38 Detected Nanocore Rat 2->38 40 3 other signatures 2->40 6 a.exe 2 2->6         started        9 DINTEC PO.exe 6 2->9         started        12 dhcpmon.exe 4 2->12         started        process3 file4 42 Writes to foreign memory regions 6->42 44 Allocates memory in foreign processes 6->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->46 48 Injects a PE file into a foreign processes 6->48 14 InstallUtil.exe 1 11 6->14         started        22 C:\Users\user\AppData\Roaming\a.exe, PE32 9->22 dropped 24 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->24 dropped 26 C:\Users\user\...\a.exe:Zone.Identifier, ASCII 9->26 dropped 18 a.exe 1 9->18         started        20 conhost.exe 12->20         started        signatures5 process6 dnsIp7 32 mnvh54254.ddns.net 95.181.155.123, 49741, 49769, 6653 MSKHOSTRU Russian Federation 14->32 28 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->28 dropped 30 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->30 dropped file8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.181.155.123
 unknown Russian Federation
207319 MSKHOSTRU true

Contacted Domains

Name IP Active
mnvh54254.ddns.net 95.181.155.123 true