Analysis Report PO#4018-308875.pdf.exe

Overview

General Information

Sample Name: PO#4018-308875.pdf.exe
Analysis ID: 341926
MD5: d90049e2aff303588e499820e0d9078c
SHA1: 1153f298db7e6aeed9c3a55c907dfa474ae9155f
SHA256: 761e77be2bbf6089f04b1901c44548bd4ff5ac873a74b1ca0e0604bb902eff22
Tags: exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: InstallUtil.exe.6280.25.memstr Malware Configuration Extractor: NanoCore {"C2: ": ["185.162.88.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe ReversingLabs: Detection: 15%
Multi AV Scanner detection for submitted file
Source: PO#4018-308875.pdf.exe ReversingLabs: Detection: 15%
Yara detected Nanocore RAT
Source: Yara match File source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
Source: Yara match File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 25.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 25.2.InstallUtil.exe.5220000.6.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Uses 32bit PE files
Source: PO#4018-308875.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PO#4018-308875.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000000.412603173.0000000000502000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov esp, ebp 0_2_0550E678
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_05506D20
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_05506D20
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0550CF27
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_05505EE8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then jmp 0550205Eh 0_2_05501889
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_05507BB8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_0550FA79
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_05506A00
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_05506A00
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0550651C
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_05506D14
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_05506D14
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then xor edx, edx 0_2_05506C58
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then xor edx, edx 0_2_05506C4C
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_05507C98
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_055069F4
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_055069F4
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then push dword ptr [ebp-24h] 20_2_05AE6D20
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 20_2_05AE6D20
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 20_2_05AECF38
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 20_2_05AE5EE8
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then jmp 05AE205Eh 20_2_05AE1898
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 20_2_05AE7BB8
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then push dword ptr [ebp-20h] 20_2_05AE6A00
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 20_2_05AE6A00
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 20_2_05AE651C
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then push dword ptr [ebp-24h] 20_2_05AE6D14
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 20_2_05AE6D14
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 20_2_05AE7C98
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then xor edx, edx 20_2_05AE6C4C
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then xor edx, edx 20_2_05AE6C58
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 20_2_05AECF27
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then push dword ptr [ebp-20h] 20_2_05AE69F4
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 20_2_05AE69F4
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 4x nop then jmp 05AE205Eh 20_2_05AE1889

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.162.88.26
Uses dynamic DNS services
Source: unknown DNS query: name: fenixalec.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49729 -> 185.162.88.26:20911
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS40676US AS40676US
Source: unknown DNS traffic detected: queries for: fenixalec.ddns.net
Source: PO#4018-308875.pdf.exe, 00000000.00000003.331443931.00000000014C9000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/Ident

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
Source: Yara match File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
.NET source code contains very large array initializations
Source: PO#4018-308875.pdf.exe, Cx1/r2K.cs Large array initialization: .cctor: array initializer size 2491
Source: gfrdeswaq.exe.0.dr, Cx1/r2K.cs Large array initialization: .cctor: array initializer size 2491
Source: 0.0.PO#4018-308875.pdf.exe.9d0000.0.unpack, Cx1/r2K.cs Large array initialization: .cctor: array initializer size 2491
Source: 0.2.PO#4018-308875.pdf.exe.9d0000.0.unpack, Cx1/r2K.cs Large array initialization: .cctor: array initializer size 2491
Source: 20.2.gfrdeswaq.exe.e50000.0.unpack, Cx1/r2K.cs Large array initialization: .cctor: array initializer size 2491
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO#4018-308875.pdf.exe
Source: initial sample Static PE information: Filename: PO#4018-308875.pdf.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A13F34 CreateProcessAsUserW, 20_2_05A13F34
Detected potential crypto function
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013BC02F 0_2_013BC02F
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013B8BD0 0_2_013B8BD0
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013B5AD0 0_2_013B5AD0
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013B54AB 0_2_013B54AB
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013BB4F8 0_2_013BB4F8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013BD760 0_2_013BD760
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013B18F8 0_2_013B18F8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013B0C40 0_2_013B0C40
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013BAF38 0_2_013BAF38
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0550D5D8 0_2_0550D5D8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05500040 0_2_05500040
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05502088 0_2_05502088
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05501889 0_2_05501889
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0550D5C8 0_2_0550D5C8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_055074D8 0_2_055074D8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_055074C9 0_2_055074C9
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05502078 0_2_05502078
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05500006 0_2_05500006
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0550E0E8 0_2_0550E0E8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05507E75 0_2_05507E75
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_03263318 20_2_03263318
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_03268BD0 20_2_03268BD0
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_0326C040 20_2_0326C040
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_0326D770 20_2_0326D770
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_0326B548 20_2_0326B548
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_032654B8 20_2_032654B8
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_0326C02F 20_2_0326C02F
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_0326AF38 20_2_0326AF38
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_0326D760 20_2_0326D760
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_03260CB0 20_2_03260CB0
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_0326B4F8 20_2_0326B4F8
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A16D28 20_2_05A16D28
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A14438 20_2_05A14438
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A10040 20_2_05A10040
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A11B00 20_2_05A11B00
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A12230 20_2_05A12230
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A17958 20_2_05A17958
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A13800 20_2_05A13800
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A10006 20_2_05A10006
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A13810 20_2_05A13810
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A13388 20_2_05A13388
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A13398 20_2_05A13398
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A15BE0 20_2_05A15BE0
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A14EE8 20_2_05A14EE8
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A11AF1 20_2_05A11AF1
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05A12220 20_2_05A12220
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AEF6A8 20_2_05AEF6A8
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AED180 20_2_05AED180
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE2088 20_2_05AE2088
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE0040 20_2_05AE0040
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AEECC0 20_2_05AEECC0
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE7E90 20_2_05AE7E90
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE1898 20_2_05AE1898
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE74CB 20_2_05AE74CB
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE74D8 20_2_05AE74D8
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AED170 20_2_05AED170
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE0006 20_2_05AE0006
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE2078 20_2_05AE2078
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE7E80 20_2_05AE7E80
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_05AE1889 20_2_05AE1889
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_005020B0 25_2_005020B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04DFE480 25_2_04DFE480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04DFE471 25_2_04DFE471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04DFBBD4 25_2_04DFBBD4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04F7F5F8 25_2_04F7F5F8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04F79788 25_2_04F79788
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04F7A610 25_2_04F7A610
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
PE file contains strange resources
Source: PO#4018-308875.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PO#4018-308875.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PO#4018-308875.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gfrdeswaq.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gfrdeswaq.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gfrdeswaq.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PO#4018-308875.pdf.exe, 00000000.00000002.333040710.0000000001430000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe, 00000000.00000002.333139108.0000000001490000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe, 00000000.00000002.333139108.0000000001490000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO#4018-308875.pdf.exe
Uses 32bit PE files
Source: PO#4018-308875.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
Yara signature match
Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/5@9/2
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{4c844ad7-de78-4c04-815b-d468ebb89811}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: PO#4018-308875.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO#4018-308875.pdf.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File read: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO#4018-308875.pdf.exe 'C:\Users\user\Desktop\PO#4018-308875.pdf.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO#4018-308875.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO#4018-308875.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000000.412603173.0000000000502000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_009D2AD4 pushad ; retf 0_2_009D2AD5
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_009D2ED1 push edx; ret 0_2_009D2ED2
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_009D36CC push eax; retf 0_2_009D36CD
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_009D21C5 push ebx; ret 0_2_009D21C9
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013B15A0 pushad ; iretd 0_2_013B1649
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_013B161F pushad ; iretd 0_2_013B1649
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0550C2B8 push 5DE58B90h; ret 0_2_0550C27C
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_00E521C5 push ebx; ret 20_2_00E521C9
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_00E536CC push eax; retf 20_2_00E536CD
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_00E52AD4 pushad ; retf 20_2_00E52AD5
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_00E52ED1 push edx; ret 20_2_00E52ED2
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Code function: 20_2_0326161F pushad ; iretd 20_2_03261649
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04F769F8 pushad ; retf 25_2_04F769F9

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaa Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaa Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File opened: C:\Users\user\Desktop\PO#4018-308875.pdf.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe File opened: C:\Users\user\AppData\Roaming\gfrdeswaq.exe\:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: PO#4018-308875.pdf.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Window / User API: threadDelayed 2655 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Window / User API: threadDelayed 7155 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Window / User API: threadDelayed 8964 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Window / User API: threadDelayed 840 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 1392 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 8306 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: foregroundWindowGot 750 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 5928 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 5928 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 4528 Thread sleep count: 2655 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 4528 Thread sleep count: 7155 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6944 Thread sleep count: 8964 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6944 Thread sleep count: 840 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6312 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: VMware
Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: PO#4018-308875.pdf.exe, 00000000.00000002.342115569.0000000008108000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: vmware
Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 68C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: InstallUtil.exe, 00000019.00000002.625145136.0000000002DAD000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: InstallUtil.exe, 00000019.00000002.629234238.0000000005F6E000.00000004.00000001.sdmp Binary or memory string: Program Manager0
Source: InstallUtil.exe, 00000019.00000002.622561201.0000000002A9B000.00000004.00000001.sdmp Binary or memory string: Program Managerx
Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: InstallUtil.exe, 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp Binary or memory string: Program Manager`

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Queries volume information: C:\Users\user\Desktop\PO#4018-308875.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Queries volume information: C:\Users\user\AppData\Roaming\gfrdeswaq.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
Source: Yara match File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: InstallUtil.exe, 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
Source: Yara match File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341926 Sample: PO#4018-308875.pdf.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 39 fenixalec.ddns.net 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 8 PO#4018-308875.pdf.exe 5 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\gfrdeswaq.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->29 dropped 31 C:\Users\...\gfrdeswaq.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\...\PO#4018-308875.pdf.exe.log, ASCII 8->33 dropped 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->49 12 gfrdeswaq.exe 2 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 signatures8 51 Multi AV Scanner detection for dropped file 12->51 53 Writes to foreign memory regions 12->53 55 Allocates memory in foreign processes 12->55 57 2 other signatures 12->57 17 InstallUtil.exe 6 12->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        process9 dnsIp10 35 fenixalec.ddns.net 185.162.88.26, 20911, 49729, 49730 AS40676US Netherlands 17->35 37 192.168.2.1 unknown unknown 17->37 25 C:\Users\user\AppData\Roaming\...\run.dat, data 17->25 dropped file11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.162.88.26
 unknown Netherlands
40676 AS40676US true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
fenixalec.ddns.net 185.162.88.26 true