Analysis Report Dintec Order PDF.exe

Overview

General Information

Sample Name: Dintec Order PDF.exe
Analysis ID: 345061
MD5: 98e3c2ac1efdd997b05a1fee872630ec
SHA1: d3ce076af7b45e1f11aac5e3a1c984951c7b92ba
SHA256: d09ed1437134f7e5c71ee4877e6d030c2750b6e1873fe6afb0f82b988c591b44
Tags: exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\a.exe Virustotal: Detection: 42% Perma Link
Multi AV Scanner detection for submitted file
Source: Dintec Order PDF.exe Virustotal: Detection: 42% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\a.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Dintec Order PDF.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Dintec Order PDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Dintec Order PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe.1.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe.1.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 1_2_00BF1268
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 1_2_00BF1258
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then push dword ptr [ebp-24h] 1_2_04CC54C0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_04CC54C0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 1_2_04CC46EC
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 1_2_04CCB658
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then jmp 04CC0806h 1_2_04CC0040
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 1_2_04CCE280
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then xor edx, edx 1_2_04CC53F8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 1_2_04CC6320
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov esp, ebp 1_2_04CCCE78
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then push dword ptr [ebp-24h] 1_2_04CC54B4
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_04CC54B4
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 1_2_04CC6400
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 1_2_04CCB648
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then jmp 04CC0806h 1_2_04CC003B
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then push dword ptr [ebp-20h] 1_2_04CC5194
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_04CC5194
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then push dword ptr [ebp-20h] 1_2_04CC51A0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_04CC51A0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 1_2_04CCE270
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then xor edx, edx 1_2_04CC53EC
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 1_2_04CC4CBC
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 4x nop then mov esp, ebp 1_2_04CCCE68
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_00C11268
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_00C11258
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_009E1268
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_009E1258
Source: Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp String found in binary or memory: http://ns.adb
Source: Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: a.exe, 00000002.00000002.686386684.000000000261A000.00000004.00000001.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: Dintec Order PDF.exe, 00000001.00000002.680463344.0000000002541000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686284355.00000000025BB000.00000004.00000001.sdmp, a.exe, 00000003.00000002.686878655.000000000257B000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: Dintec Order PDF.exe, 00000001.00000002.680463344.0000000002541000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686284355.00000000025BB000.00000004.00000001.sdmp, a.exe, 00000003.00000002.686878655.000000000257B000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: Dintec Order PDF.exe, 00000001.00000002.680463344.0000000002541000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686284355.00000000025BB000.00000004.00000001.sdmp, a.exe, 00000003.00000002.686878655.000000000257B000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Dintec Order PDF.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF4880 1_2_00BF4880
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF5008 1_2_00BF5008
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFE1A0 1_2_00BFE1A0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFA4B8 1_2_00BFA4B8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF1C58 1_2_00BF1C58
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFC6E0 1_2_00BFC6E0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFAFB0 1_2_00BFAFB0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF7FC0 1_2_00BF7FC0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFA0F0 1_2_00BFA0F0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFE193 1_2_00BFE193
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFA4AB 1_2_00BFA4AB
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF1460 1_2_00BF1460
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF1C49 1_2_00BF1C49
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFC6DB 1_2_00BFC6DB
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF1E10 1_2_00BF1E10
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF1E01 1_2_00BF1E01
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFAF9F 1_2_00BFAF9F
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CC6630 1_2_04CC6630
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CC0040 1_2_04CC0040
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CCBDC8 1_2_04CCBDC8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CC0830 1_2_04CC0830
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CC6603 1_2_04CC6603
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CC003B 1_2_04CC003B
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CC5C69 1_2_04CC5C69
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CC5C78 1_2_04CC5C78
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CCBDB9 1_2_04CCBDB9
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CCC8D8 1_2_04CCC8D8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CCC8E8 1_2_04CCC8E8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_04CC0820 1_2_04CC0820
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1A0F0 2_2_00C1A0F0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C14890 2_2_00C14890
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1E1A0 2_2_00C1E1A0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1A4B8 2_2_00C1A4B8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C11C58 2_2_00C11C58
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1C6E0 2_2_00C1C6E0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C17FC0 2_2_00C17FC0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1AFB0 2_2_00C1AFB0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1E190 2_2_00C1E190
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1A4A8 2_2_00C1A4A8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C11C49 2_2_00C11C49
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C11470 2_2_00C11470
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1C6D3 2_2_00C1C6D3
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C11E01 2_2_00C11E01
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C11E10 2_2_00C11E10
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1AF9F 2_2_00C1AF9F
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009E4882 3_2_009E4882
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009EA0F0 3_2_009EA0F0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009EE190 3_2_009EE190
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009EA4A8 3_2_009EA4A8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009E1C58 3_2_009E1C58
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009E4EB8 3_2_009E4EB8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009EC6D3 3_2_009EC6D3
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009EAF9F 3_2_009EAF9F
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009E7FC0 3_2_009E7FC0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009E1C49 3_2_009E1C49
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009E1460 3_2_009E1460
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009E1E10 3_2_009E1E10
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 3_2_009E1E01 3_2_009E1E01
PE file contains executable resources (Code or Archives)
Source: Dintec Order PDF.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: a.exe.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: Dintec Order PDF.exe, 00000001.00000002.680841447.0000000003551000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.685771109.0000000008B20000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.685771109.0000000008B20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.685507014.0000000008810000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.684699800.0000000005610000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Dintec Order PDF.exe
Uses 32bit PE files
Source: Dintec Order PDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/6@0/0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: Dintec Order PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Dintec Order PDF.exe Virustotal: Detection: 42%
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File read: C:\Users\user\Desktop\Dintec Order PDF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Dintec Order PDF.exe 'C:\Users\user\Desktop\Dintec Order PDF.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Dintec Order PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Dintec Order PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe.1.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe.1.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BF89C3 push es; retf 1_2_00BF89CA
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFC5E3 pushad ; retf 1_2_00BFC5EA
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFC513 pushad ; retf 1_2_00BFC51A
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFC510 pushad ; retf 1_2_00BFC512
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFC569 pushad ; retf 1_2_00BFC56A
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Code function: 1_2_00BFB727 push edi; retf 1_2_00BFB72A
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 2_2_00C1C569 pushad ; mov dword ptr [esp], 5504AE51h 2_2_00C1C572

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File created: C:\Users\user\AppData\Roaming\a.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File opened: C:\Users\user\Desktop\Dintec Order PDF.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Dintec Order PDF.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Dintec Order PDF.exe TID: 4240 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe TID: 1584 Thread sleep count: 157 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe TID: 5776 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe TID: 6076 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6868 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6912 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6844 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: VMware
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp, a.exe, 00000002.00000002.688652951.0000000004C90000.00000002.00000001.sdmp, a.exe, 00000003.00000002.688803329.0000000004B30000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Dintec Order PDF.exe, 00000001.00000002.680841447.0000000003551000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686529597.00000000035C1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: Dintec Order PDF.exe, 00000001.00000002.680841447.0000000003551000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686529597.00000000035C1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: Dintec Order PDF.exe, 00000001.00000002.680841447.0000000003551000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686529597.00000000035C1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp, a.exe, 00000002.00000002.688652951.0000000004C90000.00000002.00000001.sdmp, a.exe, 00000003.00000002.688803329.0000000004B30000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp, a.exe, 00000002.00000002.688652951.0000000004C90000.00000002.00000001.sdmp, a.exe, 00000003.00000002.688803329.0000000004B30000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp, a.exe, 00000002.00000002.688652951.0000000004C90000.00000002.00000001.sdmp, a.exe, 00000003.00000002.688803329.0000000004B30000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Queries volume information: C:\Users\user\Desktop\Dintec Order PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Dintec Order PDF.exe, 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 345061 Sample: Dintec Order   PDF.exe Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 23 Malicious sample detected (through community Yara rule) 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Detected Nanocore Rat 2->27 29 4 other signatures 2->29 6 Dintec Order   PDF.exe 15 8 2->6         started        10 a.exe 2 2->10         started        process3 file4 15 C:\Users\user\AppData\Roaming\a.exe, PE32 6->15 dropped 17 C:\Users\user\...\a.exe:Zone.Identifier, ASCII 6->17 dropped 19 C:\Users\user\...\Dintec Order   PDF.exe.log, ASCII 6->19 dropped 21 C:\Users\user\AppData\...\InstallUtil.exe, PE32 6->21 dropped 31 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->31 12 a.exe 14 3 6->12         started        signatures5 process6 signatures7 33 Multi AV Scanner detection for dropped file 12->33 35 Machine Learning detection for dropped file 12->35
No contacted IP infos