Analysis Report PO 67542 PDF.exe

Overview

General Information

Sample Name: PO 67542 PDF.exe
Analysis ID: 342299
MD5: 48e519f4c829c450926294170a30e1bb
SHA1: 2427038220c0e5c9ab296467db4ddfcdeb83037d
SHA256: 7de0221ea139d8db56886d9f794c167a8d569f9f740e3c353147592a96114648
Tags: exeNanoCoreRATYahoo

Most interesting Screenshot:

Detection

Nanocore
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.697095966.0000000004249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 67542 PDF.exe PID: 5036, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: PO 67542 PDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PO 67542 PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO 67542 PDF.exe, 00000000.00000003.666932093.0000000000D90000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: PO 67542 PDF.exe, 00000000.00000003.666932093.0000000000D90000.00000004.00000001.sdmp, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then jmp 028CF60Eh 0_2_028CEE48
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then jmp 028C0949h 0_2_028C0448
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then jmp 028CF60Eh 0_2_028CEE43
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then jmp 028C0949h 0_2_028C0438
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04EC3664
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_04ECA678
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_04EC40E8
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04EC40E8
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then xor edx, edx 0_2_04EC4020
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_04EC3DC8
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04EC3DC8
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_04ECCE98
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov esp, ebp 0_2_04ECBE98
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04EC4858
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_04ECA668
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_04EC40E0
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04EC40E0
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_04EC40DC
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04EC40DC
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then xor edx, edx 0_2_04EC4018
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then xor edx, edx 0_2_04EC4014
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_04EC3DC3
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04EC3DC3
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_04EC3DBC
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04EC3DBC
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov esp, ebp 0_2_04ECBE88
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_04ECCE89
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04EC38E8
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04EC38E4
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04EC5978
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then jmp 00B50949h 3_2_00B50448
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then jmp 00B50949h 3_2_00B50439
Source: PO 67542 PDF.exe, 00000000.00000003.693229799.0000000000F29000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/Ident

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.697095966.0000000004249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 67542 PDF.exe PID: 5036, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.697095966.0000000004249000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.697095966.0000000004249000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PO 67542 PDF.exe PID: 5036, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO 67542 PDF.exe PID: 5036, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Detected potential crypto function
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_005C7027 0_2_005C7027
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028C0A48 0_2_028C0A48
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CBB70 0_2_028CBB70
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028C9948 0_2_028C9948
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CF638 0_2_028CF638
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CD630 0_2_028CD630
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CEE48 0_2_028CEE48
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028C44A0 0_2_028C44A0
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CA440 0_2_028CA440
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028C7450 0_2_028C7450
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028C3D36 0_2_028C3D36
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CBB6F 0_2_028CBB6F
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CBB61 0_2_028CBB61
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028C993F 0_2_028C993F
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028C9939 0_2_028C9939
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CD620 0_2_028CD620
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CF633 0_2_028CF633
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CEE43 0_2_028CEE43
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CA43F 0_2_028CA43F
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028CA431 0_2_028CA431
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_028C9580 0_2_028C9580
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04EC5250 0_2_04EC5250
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04ECADE8 0_2_04ECADE8
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04EC524B 0_2_04EC524B
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04EC4CA0 0_2_04EC4CA0
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04EC4C9B 0_2_04EC4C9B
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04ECADDB 0_2_04ECADDB
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04ECB8F8 0_2_04ECB8F8
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04ECB908 0_2_04ECB908
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00827027 2_2_00827027
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00147027 3_2_00147027
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B59939 3_2_00B59939
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B50A38 3_2_00B50A38
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B5BB61 3_2_00B5BB61
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B54350 3_2_00B54350
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B5A431 3_2_00B5A431
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B57450 3_2_00B57450
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B59580 3_2_00B59580
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B53D28 3_2_00B53D28
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_00B5D68C 3_2_00B5D68C
PE file contains executable resources (Code or Archives)
Source: PO 67542 PDF.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: a.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: PO 67542 PDF.exe, 00000000.00000002.701746518.0000000008920000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO 67542 PDF.exe
Source: PO 67542 PDF.exe, 00000000.00000002.701746518.0000000008920000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO 67542 PDF.exe
Source: PO 67542 PDF.exe, 00000000.00000003.666932093.0000000000D90000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInstallUtil.exeT vs PO 67542 PDF.exe
Source: PO 67542 PDF.exe, 00000000.00000002.701584024.0000000008820000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO 67542 PDF.exe
Source: PO 67542 PDF.exe, 00000000.00000002.700978128.0000000007E70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO 67542 PDF.exe
Source: PO 67542 PDF.exe, 00000000.00000002.696464477.0000000003901000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO 67542 PDF.exe
Uses 32bit PE files
Source: PO 67542 PDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.697095966.0000000004249000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.697095966.0000000004249000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PO 67542 PDF.exe PID: 5036, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PO 67542 PDF.exe PID: 5036, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal68.troj.evad.winEXE@4/6@0/0
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: PO 67542 PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File read: C:\Users\user\Desktop\PO 67542 PDF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO 67542 PDF.exe 'C:\Users\user\Desktop\PO 67542 PDF.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO 67542 PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO 67542 PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO 67542 PDF.exe, 00000000.00000003.666932093.0000000000D90000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: PO 67542 PDF.exe, 00000000.00000003.666932093.0000000000D90000.00000004.00000001.sdmp, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Code function: 0_2_04EC3BB4 pushfd ; retf 0_2_04EC3BB5

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File created: C:\Users\user\AppData\Roaming\a.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File opened: C:\Users\user\Desktop\PO 67542 PDF.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PO 67542 PDF.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO 67542 PDF.exe TID: 5888 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe TID: 6880 Thread sleep count: 148 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe TID: 1072 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6820 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6676 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: VMware
Source: a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: PO 67542 PDF.exe, 00000000.00000002.700978128.0000000007E70000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: vmware
Source: PO 67542 PDF.exe, 00000000.00000002.696464477.0000000003901000.00000004.00000001.sdmp, a.exe, 00000002.00000002.697037922.0000000003BA1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: PO 67542 PDF.exe, 00000000.00000002.696464477.0000000003901000.00000004.00000001.sdmp, a.exe, 00000002.00000002.697037922.0000000003BA1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: PO 67542 PDF.exe, 00000000.00000002.696464477.0000000003901000.00000004.00000001.sdmp, a.exe, 00000002.00000002.697037922.0000000003BA1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: PO 67542 PDF.exe, 00000000.00000002.700978128.0000000007E70000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO 67542 PDF.exe, 00000000.00000002.700978128.0000000007E70000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: a.exe, 00000003.00000002.698214952.00000000024D0000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: PO 67542 PDF.exe, 00000000.00000002.700978128.0000000007E70000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Queries volume information: C:\Users\user\Desktop\PO 67542 PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 67542 PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.697095966.0000000004249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 67542 PDF.exe PID: 5036, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PO 67542 PDF.exe, 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.697095966.0000000004249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697565797.00000000043DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 67542 PDF.exe PID: 5036, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342299 Sample: PO 67542 PDF.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 68 18 Malicious sample detected (through community Yara rule) 2->18 20 Detected Nanocore Rat 2->20 22 Yara detected Nanocore RAT 2->22 6 PO 67542 PDF.exe 6 2->6         started        10 a.exe 1 2->10         started        process3 file4 14 C:\Users\user\AppData\Roaming\a.exe, PE32 6->14 dropped 16 C:\Users\user\AppData\...\InstallUtil.exe, PE32 6->16 dropped 24 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->24 12 a.exe 6->12         started        signatures5 process6
No contacted IP infos