Analysis Report PO#4018-308875.pdf.exe

Overview

General Information

Sample Name: PO#4018-308875.pdf.exe
Analysis ID: 343937
MD5: ea28f2d01808072dbe45804f514ef905
SHA1: 771ff981d42d6c7fc3550de8cb109e3311b0e0fa
SHA256: 618d343a6d7f54a0bfd917555c79c6a777b10a35fc2da0d75f6d85354de40637
Tags: exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: InstallUtil.exe.3888.24.memstr Malware Configuration Extractor: NanoCore {"C2: ": ["185.162.88.26", "185.162.88.26:2091"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Metadefender: Detection: 27% Perma Link
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe ReversingLabs: Detection: 67%
Multi AV Scanner detection for submitted file
Source: PO#4018-308875.pdf.exe Metadefender: Detection: 27% Perma Link
Source: PO#4018-308875.pdf.exe ReversingLabs: Detection: 67%
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.687092112.0000000000392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.697259526.0000000005150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.694427019.0000000003759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.696946485.0000000004B14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.696822953.0000000004A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3888, type: MEMORY
Source: Yara match File source: 24.2.InstallUtil.exe.5150000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.5150000.5.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 24.2.InstallUtil.exe.5150000.5.unpack Avira: Label: TR/NanoCore.fadte
Source: 24.2.InstallUtil.exe.390000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: PO#4018-308875.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PO#4018-308875.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000018.00000000.431784367.00000000002C2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov esp, ebp 0_2_0595E658
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_05956D10
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_05956D10
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0595CF07
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_05955F28
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_059569F0
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_059569F0
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then jmp 05952056h 0_2_05951881
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_05957B60
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_0595FA63
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0595650C
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_05956D04
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_05956D04
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then xor edx, edx 0_2_05956C3C
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_05957C40
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then xor edx, edx 0_2_05956C48
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_059569E4
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_059569E4
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 20_2_07CACF07
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 20_2_07CA5F28
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then push dword ptr [ebp-24h] 20_2_07CA6D10
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 20_2_07CA6D10
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 20_2_07CA7B60
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then push dword ptr [ebp-20h] 20_2_07CA69F0
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 20_2_07CA69F0
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then jmp 07CA2056h 20_2_07CA1881
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 20_2_07CA650C
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then push dword ptr [ebp-24h] 20_2_07CA6D04
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 20_2_07CA6D04
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then xor edx, edx 20_2_07CA6C48
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 20_2_07CA7C40
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then xor edx, edx 20_2_07CA6C3C
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then push dword ptr [ebp-20h] 20_2_07CA69E4
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 20_2_07CA69E4

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.162.88.26
Source: Malware configuration extractor IPs: 185.162.88.26:2091
Uses dynamic DNS services
Source: unknown DNS query: name: fenixalec.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 185.162.88.26:20911
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.162.88.26 185.162.88.26
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS40676US AS40676US
Source: unknown DNS traffic detected: queries for: fenixalec.ddns.net
Source: tgfcdsxazs.exe, 00000014.00000002.688965801.0000000001789000.00000004.00000040.sdmp String found in binary or memory: http://iptc.tc4xmp
Source: tgfcdsxazs.exe, 00000014.00000002.688965801.0000000001789000.00000004.00000040.sdmp String found in binary or memory: http://ns.ado/Ident

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 00000018.00000002.694427019.0000000003759000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.687092112.0000000000392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.697259526.0000000005150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.694427019.0000000003759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.696946485.0000000004B14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.696822953.0000000004A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3888, type: MEMORY
Source: Yara match File source: 24.2.InstallUtil.exe.5150000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.5150000.5.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.687092112.0000000000392000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.687092112.0000000000392000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.697105456.0000000004F70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.697259526.0000000005150000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.694427019.0000000003759000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.696946485.0000000004B14000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.696946485.0000000004B14000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.696822953.0000000004A81000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.696822953.0000000004A81000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 3888, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 3888, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.5150000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.4f70000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.5150000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO#4018-308875.pdf.exe
Source: initial sample Static PE information: Filename: PO#4018-308875.pdf.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C51D8 CreateProcessAsUserW, 20_2_057C51D8
Detected potential crypto function
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0317DB41 0_2_0317DB41
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_03171A3B 0_2_03171A3B
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0317B918 0_2_0317B918
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_031709A0 0_2_031709A0
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_03175800 0_2_03175800
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0317B051 0_2_0317B051
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_03178F30 0_2_03178F30
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_031737D0 0_2_031737D0
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_03175E28 0_2_03175E28
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0317C40F 0_2_0317C40F
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0595D5B8 0_2_0595D5B8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05952080 0_2_05952080
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05950040 0_2_05950040
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05957E30 0_2_05957E30
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05951881 0_2_05951881
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0595D5A8 0_2_0595D5A8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_059574BB 0_2_059574BB
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_059574C8 0_2_059574C8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_0595E0C8 0_2_0595E0C8
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05950006 0_2_05950006
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_05952070 0_2_05952070
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FCDB41 20_2_02FCDB41
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FCB051 20_2_02FCB051
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FC5800 20_2_02FC5800
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FC09A0 20_2_02FC09A0
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FCB918 20_2_02FCB918
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FC5E28 20_2_02FC5E28
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FC37D0 20_2_02FC37D0
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FC8F30 20_2_02FC8F30
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_02FCC40F 20_2_02FCC40F
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C6D30 20_2_057C6D30
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C0040 20_2_057C0040
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C4038 20_2_057C4038
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C1B00 20_2_057C1B00
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C2230 20_2_057C2230
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C7960 20_2_057C7960
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C3810 20_2_057C3810
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C0011 20_2_057C0011
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C3800 20_2_057C3800
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C5BE8 20_2_057C5BE8
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C3398 20_2_057C3398
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C2220 20_2_057C2220
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C1AF1 20_2_057C1AF1
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C4AE8 20_2_057C4AE8
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CAF688 20_2_07CAF688
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CAE19F 20_2_07CAE19F
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CAD160 20_2_07CAD160
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CA2080 20_2_07CA2080
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CA0040 20_2_07CA0040
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CA7E60 20_2_07CA7E60
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CAECA0 20_2_07CAECA0
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CA1881 20_2_07CA1881
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CA74C8 20_2_07CA74C8
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CA74B9 20_2_07CA74B9
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CAD150 20_2_07CAD150
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CA2070 20_2_07CA2070
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_07CA003A 20_2_07CA003A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_002C20B0 24_2_002C20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E473 24_2_0267E473
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E480 24_2_0267E480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267BBD4 24_2_0267BBD4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Sample file is different than original file name gathered from version info
Source: PO#4018-308875.pdf.exe Binary or memory string: OriginalFilename vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe, 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe, 00000000.00000002.360758846.00000000059F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe, 00000000.00000002.360519336.0000000005980000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe, 00000000.00000002.362597582.0000000006090000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO#4018-308875.pdf.exe
Source: PO#4018-308875.pdf.exe Binary or memory string: OriginalFilenamewebapp-uninstaller.exen' vs PO#4018-308875.pdf.exe
Uses 32bit PE files
Source: PO#4018-308875.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'kolkmjnhgf' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe'
Yara signature match
Source: 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.687092112.0000000000392000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.687092112.0000000000392000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.697105456.0000000004F70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.697105456.0000000004F70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000002.697259526.0000000005150000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.697259526.0000000005150000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000002.694427019.0000000003759000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.696946485.0000000004B14000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.696946485.0000000004B14000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.696822953.0000000004A81000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.696822953.0000000004A81000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 3888, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 3888, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.5150000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.5150000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.4f70000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.4f70000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.5150000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.5150000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.390000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 24.2.InstallUtil.exe.390000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 24.2.InstallUtil.exe.390000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/5@12/3
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File created: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{4c844ad7-de78-4c04-815b-d468ebb89811}
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: PO#4018-308875.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO#4018-308875.pdf.exe Metadefender: Detection: 27%
Source: PO#4018-308875.pdf.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File read: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO#4018-308875.pdf.exe 'C:\Users\user\Desktop\PO#4018-308875.pdf.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'kolkmjnhgf' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'kolkmjnhgf' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'kolkmjnhgf' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process created: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'kolkmjnhgf' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO#4018-308875.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO#4018-308875.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000018.00000000.431784367.00000000002C2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 24.2.InstallUtil.exe.390000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.InstallUtil.exe.390000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_00E98C70 push ebx; ret 0_2_00E98C71
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_00E9835D push cs; retf 0_2_00E9838D
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Code function: 0_2_00E8230D push ebp; iretd 0_2_00E8230E
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_00CE835D push cs; retf 20_2_00CE838D
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_00CE8C70 push ebx; ret 20_2_00CE8C71
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_00CD230D push ebp; iretd 20_2_00CD230E
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Code function: 20_2_057C909E push 8B45EB68h; iretd 20_2_057C90A7
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E0F0 push edx; ret 24_2_0267E312
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E36F push edx; ret 24_2_0267E372
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E373 push edx; ret 24_2_0267E37A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E349 push edx; ret 24_2_0267E34A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E0E7 push ecx; ret 24_2_0267E0EA
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E0E3 push ecx; ret 24_2_0267E0E6
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E0D8 push ecx; ret 24_2_0267E0E2
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267E471 push ebx; ret 24_2_0267E472
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_02678A61 push ss; ret 24_2_02678A62
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267EDEF push edi; ret 24_2_0267EDF2
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267EDF7 push edi; ret 24_2_0267EDFA
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267EDF3 push edi; ret 24_2_0267EDF6
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267EDB9 push esi; ret 24_2_0267EDBA
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267ED89 push esi; ret 24_2_0267ED8A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_026793D9 push ds; ret 24_2_026793DA
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_02679660 push ds; ret 24_2_02679662
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_026796C7 push ds; ret 24_2_026796CA
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0267F798 pushad ; ret 24_2_0267F79A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_02677A71 push cs; ret 24_2_02677A72
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_02677A80 push cs; ret 24_2_02677C62
Source: 24.2.InstallUtil.exe.390000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 24.2.InstallUtil.exe.390000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File created: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kolkmjnhgf Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kolkmjnhgf Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File opened: C:\Users\user\Desktop\PO#4018-308875.pdf.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe File opened: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe\:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: PO#4018-308875.pdf.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Window / User API: threadDelayed 3568 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Window / User API: threadDelayed 6276 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Window / User API: threadDelayed 428 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Window / User API: threadDelayed 9426 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 1328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 8353 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: foregroundWindowGot 841 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 6680 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 6680 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 6684 Thread sleep count: 3568 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 6684 Thread sleep count: 6276 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe TID: 6712 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe TID: 6712 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe TID: 6728 Thread sleep count: 428 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe TID: 6728 Thread sleep count: 9426 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2076 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: VMware
Source: tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: PO#4018-308875.pdf.exe, 00000000.00000002.360758846.00000000059F0000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.248938506.0000000002C20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.697689314.0000000006210000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: PO#4018-308875.pdf.exe, 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: PO#4018-308875.pdf.exe, 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: PO#4018-308875.pdf.exe, 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: PO#4018-308875.pdf.exe, 00000000.00000002.360758846.00000000059F0000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.248938506.0000000002C20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.697689314.0000000006210000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO#4018-308875.pdf.exe, 00000000.00000002.355408732.00000000014FF000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}tl|_tl\
Source: PO#4018-308875.pdf.exe, 00000000.00000002.360758846.00000000059F0000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.248938506.0000000002C20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.697689314.0000000006210000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: tgfcdsxazs.exe, 00000014.00000002.696619283.00000000041D1000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: PO#4018-308875.pdf.exe, 00000000.00000002.360758846.00000000059F0000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.248938506.0000000002C20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.697689314.0000000006210000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 390000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 390000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 390000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 392000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 3B0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 3B2000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 570008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'kolkmjnhgf' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Process created: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'kolkmjnhgf' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\tgfcdsxazs.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: InstallUtil.exe, 00000018.00000002.697835412.000000000643D000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: tgfcdsxazs.exe, 00000014.00000002.689001890.0000000001B20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.688967037.0000000001120000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: tgfcdsxazs.exe, 00000014.00000002.689001890.0000000001B20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.688967037.0000000001120000.00000002.00000001.sdmp Binary or memory string: Progman
Source: tgfcdsxazs.exe, 00000014.00000002.689001890.0000000001B20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.688967037.0000000001120000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: InstallUtil.exe, 00000018.00000002.689747161.0000000002764000.00000004.00000001.sdmp Binary or memory string: Program Managerx
Source: tgfcdsxazs.exe, 00000014.00000002.689001890.0000000001B20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.688967037.0000000001120000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: tgfcdsxazs.exe, 00000014.00000002.689001890.0000000001B20000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.688967037.0000000001120000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: InstallUtil.exe, 00000018.00000002.689747161.0000000002764000.00000004.00000001.sdmp Binary or memory string: Program Manager`

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Queries volume information: C:\Users\user\Desktop\PO#4018-308875.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Queries volume information: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tgfcdsxazs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.687092112.0000000000392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.697259526.0000000005150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.694427019.0000000003759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.696946485.0000000004B14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.696822953.0000000004A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3888, type: MEMORY
Source: Yara match File source: 24.2.InstallUtil.exe.5150000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.5150000.5.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PO#4018-308875.pdf.exe, 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000018.00000002.689747161.0000000002764000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000018.00000002.689747161.0000000002764000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.356654386.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.687092112.0000000000392000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.697259526.0000000005150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.694427019.0000000003759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.696946485.0000000004B14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.696822953.0000000004A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#4018-308875.pdf.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3888, type: MEMORY
Source: Yara match File source: 24.2.InstallUtil.exe.5150000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.5150000.5.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 343937 Sample: PO#4018-308875.pdf.exe Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 39 185.162.88.26:2091 unknown unknown 2->39 41 fenixalec.ddns.net 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 9 other signatures 2->49 8 PO#4018-308875.pdf.exe 5 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\tgfcdsxazs.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->29 dropped 31 C:\Users\...\tgfcdsxazs.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\...\PO#4018-308875.pdf.exe.log, ASCII 8->33 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->51 12 tgfcdsxazs.exe 2 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 signatures8 53 Multi AV Scanner detection for dropped file 12->53 55 Writes to foreign memory regions 12->55 57 Allocates memory in foreign processes 12->57 59 2 other signatures 12->59 17 InstallUtil.exe 6 12->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        process9 dnsIp10 35 fenixalec.ddns.net 185.162.88.26, 20911, 49737, 49738 AS40676US Netherlands 17->35 37 192.168.2.1 unknown unknown 17->37 25 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 17->25 dropped file11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.162.88.26:2091
 unknown unknown
unknown unknown true
185.162.88.26
 unknown Netherlands
40676 AS40676US true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
fenixalec.ddns.net 185.162.88.26 true