Analysis Report Order list 20.1.2021 07u9Uxttb5ltGU.exe

Overview

General Information

Sample Name:	Order list 20.1.2021 07u9Uxttb5ltGU.exe
Analysis ID:	341280
MD5:	8935c408c5650172e350acb92e7cc659
SHA1:	69fbb8236dc958388bdaf65b986894365d6dae6b
SHA256:	5fc84f25b331a01c87e4f7652a396a83403c0efc27cefeec6cea69b954a01040
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected Nanocore RAT

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for domain / URL

Source: cool.gotdns.ch

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gIZSEI.exe

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

ReversingLabs: Detection: 13%

Yara detected Nanocore RAT

Source: Yara match

File source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Unpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack

Uses 32bit PE files

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49721 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49722 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49728 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49730 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49738 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49753 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49756 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49782 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 185.19.85.136:7451

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 185.19.85.136:7451

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.19.85.136 185.19.85.136

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DATAWIRE-ASCH DATAWIRE-ASCH

Source: unknown

DNS traffic detected: queries for: cool.gotdns.ch

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/DataSet.xsd

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02552260	1_2_02552260
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02553160	1_2_02553160
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02550480	1_2_02550480
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02551810	1_2_02551810
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02550FA0	1_2_02550FA0
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02552250	1_2_02552250
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02551243	1_2_02551243
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02551248	1_2_02551248
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555278	1_2_02555278
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555268	1_2_02555268
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_0255305F	1_2_0255305F
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02554011	1_2_02554011
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02554020	1_2_02554020
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_025530C6	1_2_025530C6
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_025556F8	1_2_025556F8
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_025556E8	1_2_025556E8
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02550470	1_2_02550470
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555470	1_2_02555470
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555480	1_2_02555480
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02551808	1_2_02551808
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555918	1_2_02555918
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555928	1_2_02555928
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02550EFF	1_2_02550EFF
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DFDF90	1_2_07DFDF90
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DFD670	1_2_07DFD670
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF62D0	1_2_07DF62D0
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF62C0	1_2_07DF62C0
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF02BD	1_2_07DF02BD
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF0040	1_2_07DF0040
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF001D	1_2_07DF001D

PE file contains strange resources

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gIZSEI.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe	Binary or memory string: OriginalFilename vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668577002.0000000008570000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668577002.0000000008570000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000000.647808282.00000000000F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668411012.0000000008470000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000003.672084955.0000000001002000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000000.658830993.00000000006C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe	Binary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe

Uses 32bit PE files

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/8@26/2

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File created: C:\Users\user\AppData\Roaming\gIZSEI.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Mutant created: \Sessions\1\BaseNamedObjects\nDnmOR
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{47128c17-dc06-470e-8718-2173a7e3bbbd}

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE60F.tmp

Jump to behavior

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File read: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe 'C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static file information: File size 1741312 > 1048576

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x18be00

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Unpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Unpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_000F3C1E push edx; retf	1_2_000F3C26
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_000F3332 pushad ; ret	1_2_000F3335
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02556393 push edx; retf	1_2_02556395
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02557B32 push dword ptr [edi+65h]; retf	1_2_02557B51

Source: initial sample	Static PE information: section name: .text entropy: 7.07883915605
Source: initial sample	Static PE information: section name: .text entropy: 7.07883915605

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File created: C:\Users\user\AppData\Roaming\gIZSEI.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File opened: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order list 20.1.2021 07u9Uxttb5ltGU.exe PID: 6148, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Window / User API: threadDelayed 1914	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Window / User API: threadDelayed 7527	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Window / User API: foregroundWindowGot 635	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Window / User API: foregroundWindowGot 756	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 6168	Thread sleep time: -49582s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 1584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 4240	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmp	Binary or memory string: TQiQemUI.resources
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmp	Binary or memory string: TQiQemUI@
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Memory written: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe			Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000003.672084955.0000000001002000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match

File source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.19.85.136	unknown	Switzerland		48971	DATAWIRE-ASCH	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
cool.gotdns.ch	185.19.85.136	true

AV Detection:

Multi AV Scanner detection for domain / URL

Source: cool.gotdns.ch

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gIZSEI.exe

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

ReversingLabs: Detection: 13%

Yara detected Nanocore RAT

Source: Yara match

File source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Unpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack

Uses 32bit PE files

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49721 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49722 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49728 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49730 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49738 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49753 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49756 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49782 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 185.19.85.136:7451
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 185.19.85.136:7451

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 185.19.85.136:7451

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.19.85.136 185.19.85.136

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DATAWIRE-ASCH DATAWIRE-ASCH

Source: unknown

DNS traffic detected: queries for: cool.gotdns.ch

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/DataSet.xsd

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02552260	1_2_02552260
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02553160	1_2_02553160
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02550480	1_2_02550480
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02551810	1_2_02551810
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02550FA0	1_2_02550FA0
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02552250	1_2_02552250
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02551243	1_2_02551243
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02551248	1_2_02551248
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555278	1_2_02555278
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555268	1_2_02555268
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_0255305F	1_2_0255305F
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02554011	1_2_02554011
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02554020	1_2_02554020
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_025530C6	1_2_025530C6
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_025556F8	1_2_025556F8
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_025556E8	1_2_025556E8
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02550470	1_2_02550470
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555470	1_2_02555470
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555480	1_2_02555480
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02551808	1_2_02551808
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555918	1_2_02555918
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02555928	1_2_02555928
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02550EFF	1_2_02550EFF
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DFDF90	1_2_07DFDF90
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DFD670	1_2_07DFD670
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF62D0	1_2_07DF62D0
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF62C0	1_2_07DF62C0
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF02BD	1_2_07DF02BD
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF0040	1_2_07DF0040
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_07DF001D	1_2_07DF001D

PE file contains strange resources

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gIZSEI.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe	Binary or memory string: OriginalFilename vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668577002.0000000008570000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668577002.0000000008570000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000000.647808282.00000000000F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668411012.0000000008470000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000003.672084955.0000000001002000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000000.658830993.00000000006C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe	Binary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe

Uses 32bit PE files

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/8@26/2

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File created: C:\Users\user\AppData\Roaming\gIZSEI.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Mutant created: \Sessions\1\BaseNamedObjects\nDnmOR
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{47128c17-dc06-470e-8718-2173a7e3bbbd}

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE60F.tmp

Jump to behavior

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File read: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe 'C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static file information: File size 1741312 > 1048576

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x18be00

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Unpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Unpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_000F3C1E push edx; retf	1_2_000F3C26
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_000F3332 pushad ; ret	1_2_000F3335
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02556393 push edx; retf	1_2_02556395
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Code function: 1_2_02557B32 push dword ptr [edi+65h]; retf	1_2_02557B51

Source: initial sample	Static PE information: section name: .text entropy: 7.07883915605
Source: initial sample	Static PE information: section name: .text entropy: 7.07883915605

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File created: C:\Users\user\AppData\Roaming\gIZSEI.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File opened: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order list 20.1.2021 07u9Uxttb5ltGU.exe PID: 6148, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Window / User API: threadDelayed 1914	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Window / User API: threadDelayed 7527	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Window / User API: foregroundWindowGot 635	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Window / User API: foregroundWindowGot 756	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 6168	Thread sleep time: -49582s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 1584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 4240	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmp	Binary or memory string: TQiQemUI.resources
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmp	Binary or memory string: TQiQemUI@
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Memory written: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Process created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe			Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000003.672084955.0000000001002000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match

File source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

ID:	341280
Product:	CloudBasic
Start time:	07:49:49
Start date:	19.01.2021
Sample:	Order list 20.1.2021 07u9Uxttb5ltGU.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8935c408c5650172e350acb92e7cc659
SHA1:	69fbb8236dc958388bdaf65b986894365d6dae6b
SHA256:	5fc84f25b331a01c87e4f7652a396a83403c0efc27cefeec6cea69b954a01040
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order list 20.1.2021 07u9Uxttb5ltGU.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmpE60F.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	26FDC12F4303E1CE02877707F93D1711	E48011B6254C2B4689027136EA674E8560E6E371	555888AB668D8D97930E68EF519AD14F4ACA94562210A1EFB2BAF09C86512B14
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	E78C6686C5A1A9CB0724F84DEA9A75F0	80E61D5BDC7AF293362024781DA66BEA9D370FF9	FBE0B513511C00AC3B7169E1BCFB675CFD708B249365D724269C23FAC1184967
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	Non-ISO extended-ASCII text, with no line terminators	D57F6F8719FAFDD38D9BBB21A60AD9E0	547C1104C41BF4E65F0C633D711660B39D23C553	2C684325E720A99735382667245820FC61C73CE32BE40C4BA78EA80971A3CFCF
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	7E8F4A764B981D5B82D1CC49D341E9C6	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\gIZSEI.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8935C408C5650172E350ACB92E7CC659	69FBB8236DC958388BDAF65B986894365D6DAE6B	5FC84F25B331A01C87E4F7652A396A83403C0EFC27CEFEEC6CEA69B954A01040
C:\Users\user\AppData\Roaming\gIZSEI.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report Order list 20.1.2021 07u9Uxttb5ltGU.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains