Analysis Report New Order 632487 PDF.exe

Overview

General Information

Sample Name: New Order 632487 PDF.exe
Analysis ID: 357128
MD5: 6bb37fbe7ff7b15c6b20a788ba9d46ff
SHA1: e0f33af458168bccf87fa98638192626c1053ccf
SHA256: 2a65da255eb2ee6ce3c4f2a9ce64e9a48491325bb44bd0fda7c95b6a5db64a41
Tags: exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SGDT)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d2ce8aef-f90b-4d6a-b5b0-ecbe54404c6b", "Group": "BOTS", "Domain1": "forcesbots.ddns.net", "Domain2": "forcesbots.ddns.net", "Port": 7767, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\a.exe Metadefender: Detection: 16% Perma Link
Source: C:\Users\user\AppData\Roaming\a.exe ReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted file
Source: New Order 632487 PDF.exe Virustotal: Detection: 42% Perma Link
Source: New Order 632487 PDF.exe Metadefender: Detection: 16% Perma Link
Source: New Order 632487 PDF.exe ReversingLabs: Detection: 82%
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 7084, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY
Source: Yara match File source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\a.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: New Order 632487 PDF.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 9.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.InstallUtil.exe.5290000.10.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: New Order 632487 PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: ?\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000003.302155078.0000000000E91000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000000.321576559.0000000000792000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
Source: Binary string: orlib.pdb source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, dhcpmon.exe.9.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 0_2_025A52DF
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then mov eax, dword ptr [ebp-2Ch] 0_2_025A5C8A
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then jmp 07212E56h 0_2_07212690
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_07219298
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then mov esp, ebp 0_2_0721A9D8
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_0721B8C0
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then jmp 07212E56h 0_2_07212680
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_07219288
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then mov esp, ebp 0_2_0721A9C9
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_0721B8B1
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 6_2_04C452F0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 6_2_04C452DF
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then mov eax, dword ptr [ebp-2Ch] 6_2_04C45C8A
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then jmp 05F72E56h 6_2_05F72690
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 6_2_05F79298
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then jmp 05F72E56h 6_2_05F72680
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 6_2_05F79288
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_02C752F0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_02C752DF
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then mov eax, dword ptr [ebp-2Ch] 7_2_02C75C8A
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 4x nop then mov eax, dword ptr [ebp-2Ch] 7_2_02C75CB2

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: forcesbots.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: forcesbots.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49724 -> 193.218.118.85:7767
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.218.118.85 193.218.118.85
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EPINATURAUA EPINATURAUA
Source: unknown DNS traffic detected: queries for: forcesbots.ddns.net
Source: a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: New Order 632487 PDF.exe, 00000000.00000003.224354770.0000000008982000.00000004.00000001.sdmp, a.exe, 00000006.00000003.266327505.0000000008A72000.00000004.00000001.sdmp String found in binary or memory: http://ns.adb
Source: New Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: New Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: New Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: New Order 632487 PDF.exe, 00000000.00000002.283382208.00000000027CD000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492633026.000000000272D000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492720693.0000000002743000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286925043.0000000002D04000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: New Order 632487 PDF.exe, 00000000.00000002.283313795.00000000027A1000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492451984.0000000002701000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286813086.0000000002CC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: a.exe String found in binary or memory: https://github.com/PraneethMadush
Source: New Order 632487 PDF.exe, 00000000.00000002.283313795.00000000027A1000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492451984.0000000002701000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286813086.0000000002CC1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: a.exe, 00000007.00000002.286813086.0000000002CC1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 7084, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY
Source: Yara match File source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.502105308.0000000005060000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: a.exe PID: 7084, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: a.exe PID: 7084, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.5060000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.InstallUtil.exe.2956ad8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New Order 632487 PDF.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B52050 CreateProcessAsUserW, 6_2_06B52050
Detected potential crypto function
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_025AF378 0_2_025AF378
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_025AD1A0 0_2_025AD1A0
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_025A5588 0_2_025A5588
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_025A5869 0_2_025A5869
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_025ADC48 0_2_025ADC48
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_025AA718 0_2_025AA718
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_025AA709 0_2_025AA709
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07212690 0_2_07212690
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07210FB8 0_2_07210FB8
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07212E80 0_2_07212E80
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07219928 0_2_07219928
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07213938 0_2_07213938
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07212680 0_2_07212680
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_0721A439 0_2_0721A439
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_0721A448 0_2_0721A448
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07210FB0 0_2_07210FB0
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07213E20 0_2_07213E20
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07212E6F 0_2_07212E6F
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07216AC0 0_2_07216AC0
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_07219918 0_2_07219918
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_001A27EA 0_2_001A27EA
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C45598 6_2_04C45598
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C4D1A0 6_2_04C4D1A0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C4F378 6_2_04C4F378
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C4DC48 6_2_04C4DC48
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C45878 6_2_04C45878
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C4A709 6_2_04C4A709
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C4A718 6_2_04C4A718
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C475EA 6_2_04C475EA
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C45588 6_2_04C45588
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_04C45869 6_2_04C45869
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F79478 6_2_05F79478
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7E798 6_2_05F7E798
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F72690 6_2_05F72690
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7CCD8 6_2_05F7CCD8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7AFC8 6_2_05F7AFC8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F70FB8 6_2_05F70FB8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7EEC8 6_2_05F7EEC8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F72E80 6_2_05F72E80
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F73E20 6_2_05F73E20
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7B9B0 6_2_05F7B9B0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F79468 6_2_05F79468
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7E788 6_2_05F7E788
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F72680 6_2_05F72680
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F793E7 6_2_05F793E7
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7AFBB 6_2_05F7AFBB
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F70FA8 6_2_05F70FA8
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7EEBB 6_2_05F7EEBB
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F72E6F 6_2_05F72E6F
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F73E1B 6_2_05F73E1B
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7B9A1 6_2_05F7B9A1
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F73938 6_2_05F73938
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F7AB69 6_2_05F7AB69
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_05F76AC0 6_2_05F76AC0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B536C0 6_2_06B536C0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B50DA0 6_2_06B50DA0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B52568 6_2_06B52568
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B536B0 6_2_06B536B0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B54290 6_2_06B54290
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B50688 6_2_06B50688
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B50210 6_2_06B50210
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B50201 6_2_06B50201
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B5067B 6_2_06B5067B
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B50D90 6_2_06B50D90
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B51920 6_2_06B51920
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C7F378 7_2_02C7F378
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C7D1A0 7_2_02C7D1A0
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C75598 7_2_02C75598
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C75878 7_2_02C75878
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C7DC48 7_2_02C7DC48
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C7A70A 7_2_02C7A70A
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C7A718 7_2_02C7A718
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C775EA 7_2_02C775EA
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C75588 7_2_02C75588
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_02C75869 7_2_02C75869
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_008227EA 7_2_008227EA
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_006A20B0 9_2_006A20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04E5E480 9_2_04E5E480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04E5E471 9_2_04E5E471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04E5BBD4 9_2_04E5BBD4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04F2F5F8 9_2_04F2F5F8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04F29788 9_2_04F29788
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04F2A610 9_2_04F2A610
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 17_2_007920B0 17_2_007920B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 17_2_050207C8 17_2_050207C8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Sample file is different than original file name gathered from version info
Source: New Order 632487 PDF.exe, 00000000.00000002.282502339.0000000002550000.00000002.00000001.sdmp Binary or memory string: originalfilename vs New Order 632487 PDF.exe
Source: New Order 632487 PDF.exe, 00000000.00000002.282502339.0000000002550000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs New Order 632487 PDF.exe
Source: New Order 632487 PDF.exe, 00000000.00000002.282331462.00000000024F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs New Order 632487 PDF.exe
Source: New Order 632487 PDF.exe, 00000000.00000002.289903582.0000000005D60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs New Order 632487 PDF.exe
Source: New Order 632487 PDF.exe, 00000000.00000002.290562806.0000000005F40000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs New Order 632487 PDF.exe
Yara signature match
Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.502105308.0000000005060000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.502105308.0000000005060000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: a.exe PID: 7084, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: a.exe PID: 7084, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.5060000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.5060000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.2956ad8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.2956ad8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: New Order 632487 PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: a.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/10@6/1
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{d2ce8aef-f90b-4d6a-b5b0-ecbe54404c6b}
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: New Order 632487 PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: New Order 632487 PDF.exe Virustotal: Detection: 42%
Source: New Order 632487 PDF.exe Metadefender: Detection: 16%
Source: New Order 632487 PDF.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File read: C:\Users\user\Desktop\New Order 632487 PDF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New Order 632487 PDF.exe 'C:\Users\user\Desktop\New Order 632487 PDF.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: New Order 632487 PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New Order 632487 PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: ?\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000003.302155078.0000000000E91000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000000.321576559.0000000000792000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
Source: Binary string: orlib.pdb source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, dhcpmon.exe.9.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: New Order 632487 PDF.exe, Bd0/Li9.cs .Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: a.exe.0.dr, Bd0/Li9.cs .Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.New Order 632487 PDF.exe.1a0000.0.unpack, Bd0/Li9.cs .Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.New Order 632487 PDF.exe.1a0000.0.unpack, Bd0/Li9.cs .Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.a.exe.380000.0.unpack, Bd0/Li9.cs .Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.a.exe.380000.0.unpack, Bd0/Li9.cs .Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.a.exe.820000.0.unpack, Bd0/Li9.cs .Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.a.exe.820000.0.unpack, Bd0/Li9.cs .Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_001C738C push esi; iretd 0_2_001C738D
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_001C8E8C push esi; iretd 0_2_001C8E8F
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Code function: 0_2_001C84D8 push ebx; ret 0_2_001C84D9
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_003A738C push esi; iretd 6_2_003A738D
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_003A8E8C push esi; iretd 6_2_003A8E8F
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_003A84D8 push ebx; ret 6_2_003A84D9
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 6_2_06B53628 push esp; retf 6_2_06B53629
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_0084738C push esi; iretd 7_2_0084738D
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_00848E8C push esi; iretd 7_2_00848E8F
Source: C:\Users\user\AppData\Roaming\a.exe Code function: 7_2_008484D8 push ebx; ret 7_2_008484D9
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04F269F8 pushad ; retf 9_2_04F269F9
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04F26A00 push esp; retf 9_2_04F26A01
Source: initial sample Static PE information: section name: .text entropy: 7.31108517286
Source: initial sample Static PE information: section name: .text entropy: 7.31108517286
Source: New Order 632487 PDF.exe, m0A/Nc7.cs High entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
Source: a.exe.0.dr, m0A/Nc7.cs High entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
Source: 0.0.New Order 632487 PDF.exe.1a0000.0.unpack, m0A/Nc7.cs High entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
Source: 0.2.New Order 632487 PDF.exe.1a0000.0.unpack, m0A/Nc7.cs High entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
Source: 6.0.a.exe.380000.0.unpack, m0A/Nc7.cs High entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
Source: 6.2.a.exe.380000.0.unpack, m0A/Nc7.cs High entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
Source: 7.2.a.exe.820000.0.unpack, m0A/Nc7.cs High entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
Source: 7.0.a.exe.820000.0.unpack, m0A/Nc7.cs High entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File created: C:\Users\user\AppData\Roaming\a.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File opened: C:\Users\user\Desktop\New Order 632487 PDF.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe File opened: C:\Users\user\AppData\Roaming\a.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to detect virtual machines (SGDT)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 9_2_04F2C040 sgdt fword ptr [00000000h] 9_2_04F2C040
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 5013 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 4565 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: foregroundWindowGot 637 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe TID: 6652 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe TID: 6712 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe TID: 6320 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe TID: 6308 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 5816 Thread sleep count: 168 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 5816 Thread sleep time: -168000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 5812 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6512 Thread sleep count: 179 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6156 Thread sleep count: 173 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6156 Thread sleep time: -173000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 5812 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6500 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6312 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7124 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2344 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\a.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\a.exe Last function: Thread delayed
Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: VMware
Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: vmware
Source: New Order 632487 PDF.exe, 00000000.00000002.290562806.0000000005F40000.00000004.00000001.sdmp, a.exe, 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: New Order 632487 PDF.exe, 00000000.00000002.290562806.0000000005F40000.00000004.00000001.sdmp, a.exe, 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: New Order 632487 PDF.exe, 00000000.00000002.290562806.0000000005F40000.00000004.00000001.sdmp, a.exe, 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\a.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 8EF008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: a.exe, 00000006.00000002.491787126.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.496290459.0000000002D1E000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: a.exe, 00000006.00000002.491787126.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.493051495.0000000001300000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: a.exe, 00000006.00000002.491787126.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.493051495.0000000001300000.00000002.00000001.sdmp Binary or memory string: Progman
Source: a.exe, 00000006.00000002.491787126.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.493051495.0000000001300000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: InstallUtil.exe, 00000009.00000002.503844740.00000000065BD000.00000004.00000010.sdmp Binary or memory string: Program Manager@2
Source: InstallUtil.exe, 00000009.00000002.503923827.000000000697E000.00000004.00000001.sdmp Binary or memory string: Program Manager@

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Queries volume information: C:\Users\user\Desktop\New Order 632487 PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order 632487 PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 7084, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY
Source: Yara match File source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: New Order 632487 PDF.exe, 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: a.exe, 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 7084, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY
Source: Yara match File source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357128 Sample: New Order 632487  PDF.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 8 other signatures 2->42 6 a.exe 14 2 2->6         started        9 New Order 632487  PDF.exe 15 8 2->9         started        12 dhcpmon.exe 4 2->12         started        process3 file4 44 Multi AV Scanner detection for dropped file 6->44 46 Machine Learning detection for dropped file 6->46 48 Writes to foreign memory regions 6->48 52 2 other signatures 6->52 14 InstallUtil.exe 1 8 6->14         started        22 C:\Users\user\AppData\Roaming\a.exe, PE32 9->22 dropped 24 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->24 dropped 26 C:\Users\user\...\a.exe:Zone.Identifier, ASCII 9->26 dropped 28 C:\Users\...28ew Order 632487  PDF.exe.log, ASCII 9->28 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->50 18 a.exe 3 9->18         started        20 conhost.exe 12->20         started        signatures5 process6 dnsIp7 34 forcesbots.ddns.net 193.218.118.85, 7767 EPINATURAUA Ukraine 14->34 30 C:\Users\user\AppData\Roaming\...\run.dat, data 14->30 dropped 32 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->32 dropped file8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.218.118.85
 unknown Ukraine
207656 EPINATURAUA true

Contacted Domains

Name IP Active
forcesbots.ddns.net 193.218.118.85 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
forcesbots.ddns.net true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown