Analysis Report PO#4018-308875.exe

Overview

General Information

Sample Name: PO#4018-308875.exe
Analysis ID: 342480
MD5: 37bb301570706e9b086c26c16e7cdb83
SHA1: 9ff8d1dcca0c34f62113cd7f0a5028923299cd27
SHA256: 4e599dda2d5d0f3cad7ac5451a39cb1c4934ea0f10fd9163e82711455aaf3efd
Tags: exe

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: InstallUtil.exe.5480.19.memstr Malware Configuration Extractor: NanoCore {"C2: ": ["185.162.88.26", "185.162.88.26:2091"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Yara detected Nanocore RAT
Source: Yara match File source: 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1087171564.00000000040B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.782898982.0000000004AC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1082965333.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1078429432.0000000000422000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1087119513.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1086961721.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: edjdjdn.exe PID: 2016, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#4018-308875.exe PID: 4780, type: MEMORY
Source: Yara match File source: 19.2.InstallUtil.exe.5040000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.InstallUtil.exe.5040000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 19.2.InstallUtil.exe.420000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.2.InstallUtil.exe.5040000.6.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Uses 32bit PE files
Source: PO#4018-308875.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PO#4018-308875.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000013.00000000.857139795.0000000000052000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov esp, ebp 0_2_059FE508
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_059F6CE8
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_059F6CE8
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_059F5EBC
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_059FCEE7
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_059F69C8
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_059F69C8
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_059FF910
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then jmp 059F2026h 0_2_059F1850
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_059F7B80
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_059F64E4
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_059F6CDC
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_059F6CDC
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then xor edx, edx 0_2_059F6C14
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then xor edx, edx 0_2_059F6C20
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_059F7C60
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_059F5EE1
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_059F69BC
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_059F69BC
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then push dword ptr [ebp-24h] 14_2_04F26CE8
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 14_2_04F26CE8
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 14_2_04F2CEE7
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_04F25EBC
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then jmp 04F22026h 14_2_04F21850
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then push dword ptr [ebp-20h] 14_2_04F269C8
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 14_2_04F269C8
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_04F27B80
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_04F264E4
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then push dword ptr [ebp-24h] 14_2_04F26CDC
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 14_2_04F26CDC
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_04F27C60
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then xor edx, edx 14_2_04F26C20
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then xor edx, edx 14_2_04F26C14
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_04F28EA0
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then push dword ptr [ebp-20h] 14_2_04F269BC
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 14_2_04F269BC

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.162.88.26
Source: Malware configuration extractor IPs: 185.162.88.26:2091
Uses dynamic DNS services
Source: unknown DNS query: name: fenixalec.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49763 -> 185.162.88.26:20911
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.162.88.26 185.162.88.26
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS40676US AS40676US
Source: unknown DNS traffic detected: queries for: fenixalec.ddns.net
Source: PO#4018-308875.exe, 00000000.00000002.781295935.0000000001578000.00000004.00000020.sdmp String found in binary or memory: http://crl.micros:
Source: edjdjdn.exe, 0000000E.00000002.1079742606.0000000000BA9000.00000004.00000040.sdmp String found in binary or memory: http://iptc.tc4xmp
Source: PO#4018-308875.exe, 00000000.00000002.781552925.0000000001699000.00000004.00000040.sdmp String found in binary or memory: http://ns.ado/IdentB

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: PO#4018-308875.exe, 00000000.00000002.781113925.00000000014A0000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 00000013.00000002.1082965333.00000000035A9000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1087171564.00000000040B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.782898982.0000000004AC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1082965333.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1078429432.0000000000422000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1087119513.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1086961721.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: edjdjdn.exe PID: 2016, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#4018-308875.exe PID: 4780, type: MEMORY
Source: Yara match File source: 19.2.InstallUtil.exe.5040000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.InstallUtil.exe.5040000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.1087171564.00000000040B4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.1087171564.00000000040B4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.782898982.0000000004AC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.782898982.0000000004AC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.1086796443.0000000004E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.1082965333.00000000035A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.1078429432.0000000000422000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.1078429432.0000000000422000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.1087119513.0000000005040000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.1086961721.0000000004021000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.1086961721.0000000004021000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: edjdjdn.exe PID: 2016, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: edjdjdn.exe PID: 2016, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 5480, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 5480, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PO#4018-308875.exe PID: 4780, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO#4018-308875.exe PID: 4780, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.InstallUtil.exe.4e10000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.InstallUtil.exe.5040000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.InstallUtil.exe.5040000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large array initializations
Source: PO#4018-308875.exe, Wp9/b4J.cs Large array initialization: .cctor: array initializer size 2491
Source: edjdjdn.exe.0.dr, Wp9/b4J.cs Large array initialization: .cctor: array initializer size 2491
Source: 0.2.PO#4018-308875.exe.d10000.0.unpack, Wp9/b4J.cs Large array initialization: .cctor: array initializer size 2491
Source: 0.0.PO#4018-308875.exe.d10000.0.unpack, Wp9/b4J.cs Large array initialization: .cctor: array initializer size 2491
Source: 14.0.edjdjdn.exe.340000.0.unpack, Wp9/b4J.cs Large array initialization: .cctor: array initializer size 2491
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO#4018-308875.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE3F34 CreateProcessAsUserW, 14_2_04FE3F34
Detected potential crypto function
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_0167DA00 0_2_0167DA00
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_0167C2CF 0_2_0167C2CF
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_01675728 0_2_01675728
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_0167B7D8 0_2_0167B7D8
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_01678E50 0_2_01678E50
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_01675EA0 0_2_01675EA0
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059FD468 0_2_059FD468
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F2050 0_2_059F2050
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F0040 0_2_059F0040
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F7DF5 0_2_059F7DF5
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F1850 0_2_059F1850
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F7493 0_2_059F7493
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F74A0 0_2_059F74A0
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059FD458 0_2_059FD458
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F0006 0_2_059F0006
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F2040 0_2_059F2040
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059FDF79 0_2_059FDF79
Source: C:\Users\user\Desktop\PO#4018-308875.exe Code function: 0_2_059F7E2C 0_2_059F7E2C
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_00B7C2CF 14_2_00B7C2CF
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_00B7DA00 14_2_00B7DA00
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_00B75EA0 14_2_00B75EA0
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_00B78E50 14_2_00B78E50
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_00B7B7D8 14_2_00B7B7D8
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_00B75728 14_2_00B75728
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F2F678 14_2_04F2F678
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F22050 14_2_04F22050
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F20040 14_2_04F20040
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F2D140 14_2_04F2D140
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F2EC90 14_2_04F2EC90
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F27E37 14_2_04F27E37
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F21850 14_2_04F21850
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F274A0 14_2_04F274A0
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F27491 14_2_04F27491
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F2F668 14_2_04F2F668
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F22040 14_2_04F22040
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F20006 14_2_04F20006
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F2D130 14_2_04F2D130
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04F2EC80 14_2_04F2EC80
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE4498 14_2_04FE4498
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE0040 14_2_04FE0040
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE6D38 14_2_04FE6D38
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE2230 14_2_04FE2230
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE1B00 14_2_04FE1B00
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE4489 14_2_04FE4489
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE3810 14_2_04FE3810
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE0007 14_2_04FE0007
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE3800 14_2_04FE3800
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE7958 14_2_04FE7958
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE6D28 14_2_04FE6D28
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE1AF1 14_2_04FE1AF1
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE2220 14_2_04FE2220
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE5BE0 14_2_04FE5BE0
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE3398 14_2_04FE3398
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE3388 14_2_04FE3388
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Code function: 14_2_04FE4F20 14_2_04FE4F20
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 19_2_000520B0 19_2_000520B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 19_2_04ACE480 19_2_04ACE480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 19_2_04ACE471 19_2_04ACE471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 19_2_04ACBBD4 19_2_04ACBBD4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
PE file contains strange resources
Source: PO#4018-308875.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: edjdjdn.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PO#4018-308875.exe, 00000000.00000002.789163393.0000000008D90000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.786763274.00000000059C0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.786763274.00000000059C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.780768124.0000000000E1C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameICQSetup.exe2 vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.782452982.0000000004181000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.781113925.00000000014A0000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.786471639.00000000058B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO#4018-308875.exe
Source: PO#4018-308875.exe Binary or memory string: OriginalFilenameICQSetup.exe2 vs PO#4018-308875.exe
Uses 32bit PE files
Source: PO#4018-308875.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vsg63637' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\edjdjdn.exe'
Yara signature match
Source: 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.1087171564.00000000040B4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.1087171564.00000000040B4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.782898982.0000000004AC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.782898982.0000000004AC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.1086796443.0000000004E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.1086796443.0000000004E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.1082965333.00000000035A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.1078429432.0000000000422000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.1078429432.0000000000422000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.1087119513.0000000005040000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.1087119513.0000000005040000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.1086961721.0000000004021000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.1086961721.0000000004021000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: edjdjdn.exe PID: 2016, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: edjdjdn.exe PID: 2016, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 5480, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 5480, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PO#4018-308875.exe PID: 4780, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PO#4018-308875.exe PID: 4780, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.InstallUtil.exe.4e10000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.InstallUtil.exe.4e10000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.InstallUtil.exe.5040000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.InstallUtil.exe.5040000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.InstallUtil.exe.5040000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.InstallUtil.exe.5040000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.InstallUtil.exe.420000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.InstallUtil.exe.420000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.InstallUtil.exe.420000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/5@10/2
Source: C:\Users\user\Desktop\PO#4018-308875.exe File created: C:\Users\user\AppData\Roaming\edjdjdn.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{4c844ad7-de78-4c04-815b-d468ebb89811}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_01
Source: C:\Users\user\Desktop\PO#4018-308875.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: PO#4018-308875.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO#4018-308875.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe File read: C:\Users\user\Desktop\PO#4018-308875.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO#4018-308875.exe 'C:\Users\user\Desktop\PO#4018-308875.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vsg63637' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\edjdjdn.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vsg63637' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\edjdjdn.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\edjdjdn.exe 'C:\Users\user\AppData\Roaming\edjdjdn.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vsg63637' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\edjdjdn.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process created: C:\Users\user\AppData\Roaming\edjdjdn.exe 'C:\Users\user\AppData\Roaming\edjdjdn.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vsg63637' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\edjdjdn.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO#4018-308875.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO#4018-308875.exe Static file information: File size 1103872 > 1048576
Source: PO#4018-308875.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000013.00000000.857139795.0000000000052000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 19.2.InstallUtil.exe.420000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.InstallUtil.exe.420000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.InstallUtil.exe.420000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.2.InstallUtil.exe.420000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PO#4018-308875.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO#4018-308875.exe File created: C:\Users\user\AppData\Roaming\edjdjdn.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vsg63637 Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vsg63637 Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO#4018-308875.exe File opened: C:\Users\user\Desktop\PO#4018-308875.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe File opened: C:\Users\user\AppData\Roaming\edjdjdn.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PO#4018-308875.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PO#4018-308875.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO#4018-308875.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO#4018-308875.exe Window / User API: threadDelayed 3472 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Window / User API: threadDelayed 6301 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Window / User API: threadDelayed 1182 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Window / User API: threadDelayed 8663 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 1530 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 8087 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: foregroundWindowGot 798 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 5804 Thread sleep time: -23058430092136925s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 5804 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 2848 Thread sleep count: 3472 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 2848 Thread sleep count: 6301 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 5804 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe TID: 4812 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe TID: 4812 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe TID: 4996 Thread sleep count: 1182 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe TID: 4996 Thread sleep count: 8663 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5648 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: VMware
Source: edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: PO#4018-308875.exe, 00000000.00000002.781248980.0000000001526000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: PO#4018-308875.exe, 00000000.00000002.786471639.00000000058B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000013.00000002.1087466820.00000000060C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: vmware
Source: PO#4018-308875.exe, 00000000.00000002.782452982.0000000004181000.00000004.00000001.sdmp, edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: PO#4018-308875.exe, 00000000.00000002.782452982.0000000004181000.00000004.00000001.sdmp, edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: PO#4018-308875.exe, 00000000.00000002.782452982.0000000004181000.00000004.00000001.sdmp, edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: PO#4018-308875.exe, 00000000.00000002.781248980.0000000001526000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.;9.o7
Source: edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: PO#4018-308875.exe, 00000000.00000002.786471639.00000000058B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000013.00000002.1087466820.00000000060C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO#4018-308875.exe, 00000000.00000002.786471639.00000000058B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000013.00000002.1087466820.00000000060C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: edjdjdn.exe, 0000000E.00000002.1080195980.0000000002730000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: PO#4018-308875.exe, 00000000.00000002.781248980.0000000001526000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO#4018-308875.exe, 00000000.00000002.786471639.00000000058B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000013.00000002.1087466820.00000000060C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 440000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 442000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 234008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vsg63637' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\edjdjdn.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Process created: C:\Users\user\AppData\Roaming\edjdjdn.exe 'C:\Users\user\AppData\Roaming\edjdjdn.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vsg63637' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\edjdjdn.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: edjdjdn.exe, 0000000E.00000002.1079871362.0000000001170000.00000002.00000001.sdmp, InstallUtil.exe, 00000013.00000002.1079954779.00000000025B7000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: edjdjdn.exe, 0000000E.00000002.1079871362.0000000001170000.00000002.00000001.sdmp, InstallUtil.exe, 00000013.00000002.1079563456.0000000001050000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: edjdjdn.exe, 0000000E.00000002.1079871362.0000000001170000.00000002.00000001.sdmp, InstallUtil.exe, 00000013.00000002.1079563456.0000000001050000.00000002.00000001.sdmp Binary or memory string: Progman
Source: edjdjdn.exe, 0000000E.00000002.1079871362.0000000001170000.00000002.00000001.sdmp, InstallUtil.exe, 00000013.00000002.1079563456.0000000001050000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: InstallUtil.exe, 00000013.00000002.1079954779.00000000025B7000.00000004.00000001.sdmp Binary or memory string: Program Manager`
Source: InstallUtil.exe, 00000013.00000002.1079954779.00000000025B7000.00000004.00000001.sdmp Binary or memory string: Program ManagerHaYk

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO#4018-308875.exe Queries volume information: C:\Users\user\Desktop\PO#4018-308875.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Queries volume information: C:\Users\user\AppData\Roaming\edjdjdn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edjdjdn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1087171564.00000000040B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.782898982.0000000004AC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1082965333.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1078429432.0000000000422000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1087119513.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1086961721.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: edjdjdn.exe PID: 2016, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#4018-308875.exe PID: 4780, type: MEMORY
Source: Yara match File source: 19.2.InstallUtil.exe.5040000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.InstallUtil.exe.5040000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PO#4018-308875.exe, 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: edjdjdn.exe, 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000013.00000002.1079954779.00000000025B7000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000013.00000002.1079954779.00000000025B7000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0000000E.00000002.1087650939.000000000424A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1087171564.00000000040B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.782898982.0000000004AC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.783786131.0000000004C5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1082965333.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1078429432.0000000000422000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1087119513.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1086961721.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: edjdjdn.exe PID: 2016, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#4018-308875.exe PID: 4780, type: MEMORY
Source: Yara match File source: 19.2.InstallUtil.exe.5040000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.InstallUtil.exe.5040000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.InstallUtil.exe.420000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342480 Sample: PO#4018-308875.exe Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 35 185.162.88.26:2091 unknown unknown 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Sigma detected: NanoCore 2->41 43 7 other signatures 2->43 8 PO#4018-308875.exe 5 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\edjdjdn.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->29 dropped 31 C:\Users\user\...\edjdjdn.exe:Zone.Identifier, ASCII 8->31 dropped 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->45 12 edjdjdn.exe 2 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 signatures8 47 Writes to foreign memory regions 12->47 49 Allocates memory in foreign processes 12->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->51 53 Injects a PE file into a foreign processes 12->53 17 InstallUtil.exe 6 12->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        process9 dnsIp10 33 fenixalec.ddns.net 185.162.88.26, 20911, 49763, 49764 AS40676US Netherlands 17->33 25 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->25 dropped file11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.162.88.26:2091
 unknown unknown
unknown unknown true
185.162.88.26
 unknown Netherlands
40676 AS40676US true

Contacted Domains

Name IP Active
fenixalec.ddns.net 185.162.88.26 true