Analysis Report Invoice# 77-83992-8297382 (2).exe

Overview

General Information

Sample Name: Invoice# 77-83992-8297382 (2).exe
Analysis ID: 339193
MD5: 4c67eb7b3f4ea88e5e5487ade487de3f
SHA1: d118ae4beef890783251d53f3f7fe5e6c9a65a10
SHA256: db433304c3e22d8222cfe510e8548515c9dccfc9f080f94efc67aa11f44a6b3f
Tags: exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Antivirus or Machine Learning detection for unpacked file
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: Invoice# 77-83992-8297382 (2).exe ReversingLabs: Detection: 26%
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Uses 32bit PE files
Source: Invoice# 77-83992-8297382 (2).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Invoice# 77-83992-8297382 (2).exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 4x nop then jmp 016AEB76h 0_2_016AE3B0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 4x nop then mov esp, ebp 0_2_016A8DC0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 4x nop then jmp 016AEB76h 0_2_016AE3A0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 4x nop then mov esp, ebp 0_2_016A8DB1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then jmp 00DBEB76h 4_2_00DBE3A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov esp, ebp 4_2_00DB8DC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov esp, ebp 4_2_00DB8DB1

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 194.5.97.173:10004
Source: unknown DNS traffic detected: queries for: 1.ispnano.dns-cloud.net
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000003.233824722.0000000001326000.00000004.00000001.sdmp String found in binary or memory: http://go.microsoft.c
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.240339078.00000000016E9000.00000004.00000040.sdmp String found in binary or memory: http://ns.ado/Ident

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Invoice# 77-83992-8297382 (2).exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E2FE8 CreateProcessAsUserW, 0_2_0F2E2FE8
Detected potential crypto function
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016AB180 0_2_016AB180
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016AEBA0 0_2_016AEBA0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016AE3B0 0_2_016AE3B0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016A9A50 0_2_016A9A50
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016A0448 0_2_016A0448
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016ACC40 0_2_016ACC40
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016A6C10 0_2_016A6C10
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016A34F8 0_2_016A34F8
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016A8F58 0_2_016A8F58
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016AB170 0_2_016AB170
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016AE3A0 0_2_016AE3A0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016AEB90 0_2_016AEB90
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016A9A3F 0_2_016A9A3F
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016ACC30 0_2_016ACC30
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016A8F4A 0_2_016A8F4A
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_016AF648 0_2_016AF648
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E4748 0_2_0F2E4748
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E1EA8 0_2_0F2E1EA8
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E0040 0_2_0F2E0040
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E4738 0_2_0F2E4738
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E5368 0_2_0F2E5368
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E1620 0_2_0F2E1620
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E1E9D 0_2_0F2E1E9D
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E2930 0_2_0F2E2930
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E11A8 0_2_0F2E11A8
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 0_2_0F2E35F0 0_2_0F2E35F0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 1_2_02F0E480 1_2_02F0E480
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 1_2_02F0E471 1_2_02F0E471
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 1_2_02F0BBD4 1_2_02F0BBD4
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Code function: 1_2_066B0040 1_2_066B0040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DBB170 4_2_00DBB170
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DB9A3F 4_2_00DB9A3F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DBEBA0 4_2_00DBEBA0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DBE3A0 4_2_00DBE3A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DB34F8 4_2_00DB34F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DB0448 4_2_00DB0448
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DB3C60 4_2_00DB3C60
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DB6C10 4_2_00DB6C10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DBCC30 4_2_00DBCC30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DB8F4A 4_2_00DB8F4A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DBEB90 4_2_00DBEB90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DB0427 4_2_00DB0427
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_00DBF658 4_2_00DBF658
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E994748 4_2_0E994748
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E991F60 4_2_0E991F60
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E990040 4_2_0E990040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E991620 4_2_0E991620
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E994738 4_2_0E994738
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E991F51 4_2_0E991F51
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E995368 4_2_0E995368
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E9911A8 4_2_0E9911A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E9929A8 4_2_0E9929A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4_2_0E9935F0 4_2_0E9935F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 7_2_0126E471 7_2_0126E471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 7_2_0126E480 7_2_0126E480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 7_2_0126BBD4 7_2_0126BBD4
Sample file is different than original file name gathered from version info
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.245504993.0000000005830000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000000.220656885.0000000000D02000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.240375788.0000000002FB1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPe6.dll" vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621320469.0000000006200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000003.243082118.00000000014BF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615231415.000000000144A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe Binary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
Uses 32bit PE files
Source: Invoice# 77-83992-8297382 (2).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/5@39/2
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-83992-8297382 (2).exe.log Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{e1e01d8e-d2ec-4c98-af39-dda666441e66}
Source: Invoice# 77-83992-8297382 (2).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Invoice# 77-83992-8297382 (2).exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe File read: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe 'C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe'
Source: unknown Process created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Invoice# 77-83992-8297382 (2).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Invoice# 77-83992-8297382 (2).exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe File opened: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe File opened: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File opened: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Window / User API: threadDelayed 5388 Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Window / User API: threadDelayed 3964 Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Window / User API: foregroundWindowGot 1343 Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Window / User API: foregroundWindowGot 467 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 4740 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 4812 Thread sleep count: 138 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 5288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 5676 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 4112 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4092 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6212 Thread sleep count: 79 > 30 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6212 Thread sleep count: 99 > 30 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5624 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: VMware
Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615434525.00000000014CE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Memory written: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Process created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621511799.000000000643C000.00000004.00000001.sdmp Binary or memory string: Program Manager(
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.622192424.000000000716D000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615771156.0000000001A80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615771156.0000000001A80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.618572960.0000000003491000.00000004.00000001.sdmp Binary or memory string: Program Manager0
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.616498522.0000000003123000.00000004.00000001.sdmp Binary or memory string: Program ManagerX
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615771156.0000000001A80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621726909.00000000067FD000.00000004.00000001.sdmp Binary or memory string: Program Manager(pI

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Queries volume information: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Queries volume information: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339193 Sample: Invoice# 77-83992-8297382 (2).exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 28 g.msn.com 2->28 30 1.ispnano.dns-cloud.net 2->30 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 7 Invoice# 77-83992-8297382 (2).exe 3 2->7         started        11 dhcpmon.exe 3 2->11         started        signatures3 process4 file5 20 C:\...\Invoice# 77-83992-8297382 (2).exe.log, ASCII 7->20 dropped 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->44 46 Injects a PE file into a foreign processes 7->46 13 Invoice# 77-83992-8297382 (2).exe 1 9 7->13         started        18 dhcpmon.exe 2 11->18         started        signatures6 process7 dnsIp8 32 1.ispnano.dns-cloud.net 194.5.97.173, 10004, 49712, 49713 DANILENKODE Netherlands 13->32 34 192.168.2.1 unknown unknown 13->34 22 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->22 dropped 24 C:\Users\user\AppData\Roaming\...\run.dat, data 13->24 dropped 26 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->26 dropped 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->48 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.97.173
unknown Netherlands
208476 DANILENKODE false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
1.ispnano.dns-cloud.net 194.5.97.173 true
g.msn.com unknown unknown