Play interactive tour

Edit tour

Analysis Report 3Fv4j323nj.exe

Overview

General Information

Sample Name:	3Fv4j323nj.exe
Analysis ID:	357177
MD5:	acfcbd916fa04787e4388b339592dd78
SHA1:	f2a572347c81b71c3a59f00a37f68db698715460
SHA256:	ede5c7b0267f4801a7bebb22a18035923e71a476ceb3b9d94f582aa199deb3f0
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

Nanocore GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected GuLoader

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

3Fv4j323nj.exe (PID: 6520 cmdline: 'C:\Users\user\Desktop\3Fv4j323nj.exe' MD5: ACFCBD916FA04787E4388B339592DD78)

RegAsm.exe (PID: 808 cmdline: 'C:\Users\user\Desktop\3Fv4j323nj.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4800 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5364 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE7FA.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegAsm.exe (PID: 5344 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 2156 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 4000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

filename1.exe (PID: 5044 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: ACFCBD916FA04787E4388B339592DD78)

dhcpmon.exe (PID: 5736 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7c50348d-f4bf-40ba-b0d6-02de82eca13f", "Group": "BIZ SALES", "Domain1": "194.5.98.182", "Domain2": "", "Port": 3765, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a3d:$a: NanoCore 0x13a96:$a: NanoCore 0x13ad3:$a: NanoCore 0x13b4c:$a: NanoCore 0x271f7:$a: NanoCore 0x2720c:$a: NanoCore 0x27241:$a: NanoCore 0x401bb:$a: NanoCore 0x401d0:$a: NanoCore 0x40205:$a: NanoCore 0x13a9f:$b: ClientPlugin 0x13adc:$b: ClientPlugin 0x143da:$b: ClientPlugin 0x143e7:$b: ClientPlugin 0x26fb3:$b: ClientPlugin 0x26fce:$b: ClientPlugin 0x26ffe:$b: ClientPlugin 0x27215:$b: ClientPlugin 0x2724a:$b: ClientPlugin 0x3ff77:$b: ClientPlugin 0x3ff92:$b: ClientPlugin
0000000C.00000002.482199109.0000000001002000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
Process Memory Space: RegAsm.exe PID: 808	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 808	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 808	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2d10a:$a: NanoCore 0x2d137:$a: NanoCore 0x2d190:$a: NanoCore 0x3499f:$a: NanoCore 0x349b2:$a: NanoCore 0x349e4:$a: NanoCore 0x6911b:$a: NanoCore 0x691bc:$a: NanoCore 0x69229:$a: NanoCore 0x692ea:$a: NanoCore 0x6a1bb:$a: NanoCore 0x6a20e:$a: NanoCore 0x6a247:$a: NanoCore 0x6a2ba:$a: NanoCore 0x6ed62:$a: NanoCore 0x6ed8f:$a: NanoCore 0x6ede8:$a: NanoCore 0x765f7:$a: NanoCore 0x7660a:$a: NanoCore 0x7663c:$a: NanoCore 0x800d0:$a: NanoCore
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.RegAsm.exe.1dd516dc.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.RegAsm.exe.1dd516dc.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.RegAsm.exe.1ed8ea94.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28771:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2879e:$x2: IClientNetworkHost
12.2.RegAsm.exe.1ed8ea94.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28771:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2984c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2878b:$s5: IClientLoggingHost
12.2.RegAsm.exe.1ed8ea94.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.RegAsm.exe.1ed8ea94.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.RegAsm.exe.1ed8ea94.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.RegAsm.exe.1ed8ea94.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.RegAsm.exe.20790000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.RegAsm.exe.20790000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.RegAsm.exe.20790000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.RegAsm.exe.20500000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.RegAsm.exe.20500000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.RegAsm.exe.1ed930bd.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24148:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24175:$x2: IClientNetworkHost
12.2.RegAsm.exe.1ed930bd.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24148:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25223:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24162:$s5: IClientLoggingHost
12.2.RegAsm.exe.1ed930bd.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.RegAsm.exe.20790000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
12.2.RegAsm.exe.20790000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.RegAsm.exe.20790000.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.RegAsm.exe.20794629.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
12.2.RegAsm.exe.20794629.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.RegAsm.exe.20794629.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.RegAsm.exe.1ed89c5e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5a7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5d4:$x2: IClientNetworkHost
12.2.RegAsm.exe.1ed89c5e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5a7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e682:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5c1:$s5: IClientLoggingHost
12.2.RegAsm.exe.1ed89c5e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.RegAsm.exe.1ed89c5e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d55d:$a: NanoCore 0x2d572:$a: NanoCore 0x2d5a7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d319:$b: ClientPlugin 0x2d334:$b: ClientPlugin
Click to see the 21 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 808, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\3Fv4j323nj.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 808, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp', ProcessId: 4800

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7c50348d-f4bf-40ba-b0d6-02de82eca13f", "Group": "BIZ SALES", "Domain1": "194.5.98.182", "Domain2": "", "Port": 3765, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: 3Fv4j323nj.exe

Virustotal: Detection: 12%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY
Source: Yara match	File source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE

Source: 12.2.RegAsm.exe.20790000.10.unpack

Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Show sources

Source: 3Fv4j323nj.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.12.dr
Source:	Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdb~ source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 0000000C.00000002.502805813.00000000204A0000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 194.5.98.182

Source: global traffic

TCP traffic: 192.168.2.3:49743 -> 194.5.98.182:3765

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.482199109.0000000001002000.00000040.00000001.sdmp

String found in binary or memory: https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21106&authkey=AHaSu1X

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: RegAsm.exe, 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY
Source: Yara match	File source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.RegAsm.exe.1dd516dc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.20500000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\3Fv4j323nj.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_0100700D NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010074F1 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007509 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007521 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007538 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007555 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007167 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007587 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_0100759D NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010075B2 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010075E4 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010075FD NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_0100700B LoadLibraryA,NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_0100704C NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_0100744E NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007063 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007086 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010070A5 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010070BC NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007707 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007727 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006FB1 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006FCB NtProtectVirtualMemory,NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007615 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007635 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_0100764D NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010076A6 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_200A16DA NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_200A169F NtQuerySystemInformation,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006599
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF623A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF62FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF6B2A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF689D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF6969F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF695D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF6306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 24_2_048401B7
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409851
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_0040987E
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409828
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_004098D6
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_0040990A
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409932
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_004099DD
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_0040998E
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_004099B7
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409A62
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409A09
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409AC1
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409AF2
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409A94
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409B48
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_0040976B
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409B1E
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409739
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409BC3
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_004097CB
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_004093F4
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_004097FA
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00409798
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_00405934
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 30_2_022D01B7

Source: 3Fv4j323nj.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 3Fv4j323nj.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 3Fv4j323nj.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 3Fv4j323nj.exe, 00000000.00000000.213468397.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenametrenchlet.exe vs 3Fv4j323nj.exe
Source: 3Fv4j323nj.exe	Binary or memory string: OriginalFilenametrenchlet.exe vs 3Fv4j323nj.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll

Source: 3Fv4j323nj.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.RegAsm.exe.1dd516dc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.1dd516dc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.20500000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.20500000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/11@2/1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_200A149A AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_200A1463 AdjustTokenPrivileges,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\subfolder1

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7c50348d-f4bf-40ba-b0d6-02de82eca13f}

Source: C:\Users\user\Desktop\3Fv4j323nj.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6F7E0F224F5694D5.TMP

Jump to behavior

Source: 3Fv4j323nj.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3Fv4j323nj.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\3Fv4j323nj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 3Fv4j323nj.exe

Virustotal: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\3Fv4j323nj.exe 'C:\Users\user\Desktop\3Fv4j323nj.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\3Fv4j323nj.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE7FA.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\3Fv4j323nj.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE7FA.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.12.dr
Source:	Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdb~ source: RegAsm.exe, 0000000C.00000002.499348814.000000001DC35000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 0000000C.00000002.502805813.00000000204A0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000C.00000002.482199109.0000000001002000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006C27 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006C41 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1DBA74B8 push ebp; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1DBA74AC push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1DBAAAF0 push cs; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1DBAABD8 push cs; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1DBA9D73 pushad ; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1DBAAB64 push cs; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF64369 push esi; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF64339 push ebp; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF64269 push ebp; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF645B9 push edi; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF661A0 push esp; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF64180 push ebp; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF63970 push ecx; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF60170 pushad ; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF60961 push 16B2E872h; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF6096D push ss; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF60D59 push 12B5E872h; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF63D40 push esp; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF64127 push esp; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF64511 push edi; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF65911 pushad ; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF638F8 push eax; retn F81Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF640D1 push esp; retn 001Dh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_1FF65831 pushad ; retn 001Dh
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_0040E4E3 push ecx; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 29_2_0040BE2F push esi; ret

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Users\user\subfolder1\filename1.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\3Fv4j323nj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010074F1 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010043E9 InternetOpenA,InternetOpenUrlA,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002D02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01003125
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002D2D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002D73
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002D8D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002DAA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002DC5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002DEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01003019
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_0100302B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002C4B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_0100704C NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007063 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002C69
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002C81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01007086 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01003092
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002C97
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010030B5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002CB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002CE3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010030EF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002F0D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002F71
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002FC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006FCB NtProtectVirtualMemory,NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002FD2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002BF5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002E1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002E6D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002EB2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01002EC4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000667097 second address: 0000000000667097 instructions:
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 00000000006639D5 second address: 00000000006639D5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F46849B7C88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F46849B7C92h 0x0000001f test bx, FB3Ch 0x00000024 cmp bh, bh 0x00000026 pop ecx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F46849B7C24h 0x0000002f jmp 00007F46849B7C92h 0x00000031 push ss 0x00000032 pop ss 0x00000033 jmp 00007F46849B7C8Dh 0x00000035 push ecx 0x00000036 jmp 00007F46849B7C92h 0x00000038 test dx, dx 0x0000003b call 00007F46849B7CDFh 0x00000040 call 00007F46849B7C98h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000660F13 second address: 0000000000660F13 instructions:
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000662D13 second address: 0000000000662D13 instructions:
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 00000000006632EE second address: 00000000006632EE instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001000FE0 second address: 0000000001000FE0 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001001093 second address: 0000000001001093 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001001166 second address: 0000000001001166 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001001216 second address: 0000000001001216 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001004496 second address: 0000000001004496 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000010045F2 second address: 00000000010045F2 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000100220E second address: 000000000100220E instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001002398 second address: 000000000100243D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F46848E3042h 0x0000000c cmp ax, 00002355h 0x00000010 call 00007F46848E369Bh 0x00000015 cmp dword ptr [edi+00000818h], 00000000h 0x0000001c je 00007F46848E3115h 0x00000022 ret 0x00000023 test edx, ecx 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b mov eax, dword ptr [eax+0Ch] 0x0000002e mov eax, dword ptr [eax+0Ch] 0x00000031 jmp 00007F46848E3042h 0x00000033 test dx, dx 0x00000036 mov ecx, dword ptr [edi+00000808h] 0x0000003c jmp 00007F46848E3037h 0x0000003e mov dword ptr [eax+20h], ecx 0x00000041 jmp 00007F46848E3042h 0x00000043 cmp ah, ch 0x00000045 mov esi, dword ptr [edi+00000800h] 0x0000004b jmp 00007F46848E3042h 0x0000004d fnop 0x0000004f mov dword ptr [eax+18h], esi 0x00000052 add esi, dword ptr [edi+00000850h] 0x00000058 mov dword ptr [eax+1Ch], esi 0x0000005b jmp 00007F46848E3042h 0x0000005d pushad 0x0000005e rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000100243D second address: 00000000010024DF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F46849B7C92h 0x0000000c cmp ax, 0000D992h 0x00000010 test edx, ecx 0x00000012 cmp dword ptr [ebp+70h], 01h 0x00000016 je 00007F46849B7DFCh 0x0000001c mov esi, edi 0x0000001e add esi, 00001000h 0x00000024 xor ecx, ecx 0x00000026 push ecx 0x00000027 jmp 00007F46849B7C92h 0x00000029 test dx, dx 0x0000002c push edi 0x0000002d mov eax, ebp 0x0000002f add eax, 0000009Ch 0x00000034 push eax 0x00000035 call 00007F46849B8315h 0x0000003a jmp 00007F46849B7C92h 0x0000003c jmp 00007F46849B7C9Ah 0x0000003e test ch, ch 0x00000040 cmp dword ptr [esi+24h], E0000020h 0x00000047 je 00007F46849B7D54h 0x0000004d cmp dword ptr [esi+24h], 60000020h 0x00000054 je 00007F46849B7DC3h 0x0000005a mov ebx, 00000020h 0x0000005f jmp 00007F46849B7C96h 0x00000061 ret 0x00000062 push ebx 0x00000063 jmp 00007F46849B7C92h 0x00000065 cmp ah, ch 0x00000067 mov eax, esi 0x00000069 jmp 00007F46849B7C92h 0x0000006b fnop 0x0000006d add eax, 08h 0x00000070 push eax 0x00000071 mov eax, dword ptr [edi+00000800h] 0x00000077 jmp 00007F46849B7C92h 0x00000079 pushad 0x0000007a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000010024DF second address: 00000000010024DF instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001002599 second address: 0000000001002599 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\3Fv4j323nj.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe	Binary or memory string: U-GA\QEMU-GA.EXE
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000667097 second address: 0000000000667097 instructions:
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 00000000006639D5 second address: 00000000006639D5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F46849B7C88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F46849B7C92h 0x0000001f test bx, FB3Ch 0x00000024 cmp bh, bh 0x00000026 pop ecx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F46849B7C24h 0x0000002f jmp 00007F46849B7C92h 0x00000031 push ss 0x00000032 pop ss 0x00000033 jmp 00007F46849B7C8Dh 0x00000035 push ecx 0x00000036 jmp 00007F46849B7C92h 0x00000038 test dx, dx 0x0000003b call 00007F46849B7CDFh 0x00000040 call 00007F46849B7C98h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000663C6A second address: 0000000000663C6A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F46848E55B2h 0x0000001d popad 0x0000001e call 00007F46848E307Dh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000666A3C second address: 0000000000666B00 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f jmp 00007F46849B7C92h 0x00000011 cmp bl, FFFFFFE7h 0x00000014 mov byte ptr [eax], FFFFFF90h 0x00000017 jmp 00007F46849B7C92h 0x00000019 cmp ax, dx 0x0000001c mov eax, dword ptr [esp+1Ch] 0x00000020 mov byte ptr [eax], 0000006Ah 0x00000023 jmp 00007F46849B7C92h 0x00000025 jmp 00007F46849B7C9Eh 0x00000027 mov byte ptr [eax+01h], 00000000h 0x0000002b mov byte ptr [eax+02h], FFFFFFB8h 0x0000002f jmp 00007F46849B7C92h 0x00000031 test ax, cx 0x00000034 mov edx, dword ptr [ebp+0000013Ch] 0x0000003a mov dword ptr [eax+03h], edx 0x0000003d jmp 00007F46849B7C92h 0x0000003f cmp dx, cx 0x00000042 jmp 00007F46849B7C92h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000666B00 second address: 0000000000666BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [eax+07h], FFFFFFFFh 0x0000000f jmp 00007F46848E3042h 0x00000011 cmp bl, 00000038h 0x00000014 mov byte ptr [eax+08h], FFFFFFD0h 0x00000018 jmp 00007F46848E3042h 0x0000001a cmp ax, dx 0x0000001d mov byte ptr [eax+09h], FFFFFFC2h 0x00000021 mov byte ptr [eax+0Ah], 00000004h 0x00000025 mov byte ptr [eax+0Bh], 00000000h 0x00000029 jmp 00007F46848E3042h 0x0000002b jmp 00007F46848E304Eh 0x0000002d jmp 00007F46848E3042h 0x0000002f test ax, cx 0x00000032 mov eax, ebx 0x00000034 jmp 00007F46848E3042h 0x00000036 cmp dx, cx 0x00000039 add eax, dword ptr [esp+08h] 0x0000003d jmp 00007F46848E3042h 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000666BBF second address: 0000000000666BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ebx 0x0000000c cmp ebx, eax 0x0000000e je 00007F46849B7EA5h 0x00000014 jmp 00007F46849B7C92h 0x00000016 cmp bl, 00000041h 0x00000019 cmp byte ptr [ebx], FFFFFFB8h 0x0000001c jne 00007F46849B7C3Eh 0x0000001e jmp 00007F46849B7C92h 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 000000000066767F second address: 00000000006676BA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [edi+00005000h] 0x00000011 cmp dword ptr [eax+04h], 00000000h 0x00000015 jne 00007F46848E3186h 0x0000001b cmp dword ptr [eax+08h], 00000000h 0x0000001f jne 00007F46848E317Ch 0x00000025 jmp 00007F46848E3042h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000660F13 second address: 0000000000660F13 instructions:
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 0000000000662D13 second address: 0000000000662D13 instructions:
Source: C:\Users\user\Desktop\3Fv4j323nj.exe	RDTSC instruction interceptor: First address: 00000000006632EE second address: 00000000006632EE instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001003C6A second address: 0000000001003C6A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F46848E55B2h 0x0000001d popad 0x0000001e call 00007F46848E307Dh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001006A3C second address: 0000000001006B00 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f jmp 00007F46849B7C92h 0x00000011 cmp bl, FFFFFFE7h 0x00000014 mov byte ptr [eax], FFFFFF90h 0x00000017 jmp 00007F46849B7C92h 0x00000019 cmp ax, dx 0x0000001c mov eax, dword ptr [esp+1Ch] 0x00000020 mov byte ptr [eax], 0000006Ah 0x00000023 jmp 00007F46849B7C92h 0x00000025 jmp 00007F46849B7C9Eh 0x00000027 mov byte ptr [eax+01h], 00000000h 0x0000002b mov byte ptr [eax+02h], FFFFFFB8h 0x0000002f jmp 00007F46849B7C92h 0x00000031 test ax, cx 0x00000034 mov edx, dword ptr [ebp+0000013Ch] 0x0000003a mov dword ptr [eax+03h], edx 0x0000003d jmp 00007F46849B7C92h 0x0000003f cmp dx, cx 0x00000042 jmp 00007F46849B7C92h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001006B00 second address: 0000000001006BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [eax+07h], FFFFFFFFh 0x0000000f jmp 00007F46848E3042h 0x00000011 cmp bl, 00000038h 0x00000014 mov byte ptr [eax+08h], FFFFFFD0h 0x00000018 jmp 00007F46848E3042h 0x0000001a cmp ax, dx 0x0000001d mov byte ptr [eax+09h], FFFFFFC2h 0x00000021 mov byte ptr [eax+0Ah], 00000004h 0x00000025 mov byte ptr [eax+0Bh], 00000000h 0x00000029 jmp 00007F46848E3042h 0x0000002b jmp 00007F46848E304Eh 0x0000002d jmp 00007F46848E3042h 0x0000002f test ax, cx 0x00000032 mov eax, ebx 0x00000034 jmp 00007F46848E3042h 0x00000036 cmp dx, cx 0x00000039 add eax, dword ptr [esp+08h] 0x0000003d jmp 00007F46848E3042h 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001006BBF second address: 0000000001006BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ebx 0x0000000c cmp ebx, eax 0x0000000e je 00007F46849B7EA5h 0x00000014 jmp 00007F46849B7C92h 0x00000016 cmp bl, 00000041h 0x00000019 cmp byte ptr [ebx], FFFFFFB8h 0x0000001c jne 00007F46849B7C3Eh 0x0000001e jmp 00007F46849B7C92h 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000100767F second address: 00000000010076BA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [edi+00005000h] 0x00000011 cmp dword ptr [eax+04h], 00000000h 0x00000015 jne 00007F46848E3186h 0x0000001b cmp dword ptr [eax+08h], 00000000h 0x0000001f jne 00007F46848E317Ch 0x00000025 jmp 00007F46848E3042h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001000FE0 second address: 0000000001000FE0 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001001093 second address: 0000000001001093 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001001166 second address: 0000000001001166 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001001216 second address: 0000000001001216 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001004496 second address: 0000000001004496 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000010045F2 second address: 00000000010045F2 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000100220E second address: 000000000100220E instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001002398 second address: 000000000100243D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F46848E3042h 0x0000000c cmp ax, 00002355h 0x00000010 call 00007F46848E369Bh 0x00000015 cmp dword ptr [edi+00000818h], 00000000h 0x0000001c je 00007F46848E3115h 0x00000022 ret 0x00000023 test edx, ecx 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b mov eax, dword ptr [eax+0Ch] 0x0000002e mov eax, dword ptr [eax+0Ch] 0x00000031 jmp 00007F46848E3042h 0x00000033 test dx, dx 0x00000036 mov ecx, dword ptr [edi+00000808h] 0x0000003c jmp 00007F46848E3037h 0x0000003e mov dword ptr [eax+20h], ecx 0x00000041 jmp 00007F46848E3042h 0x00000043 cmp ah, ch 0x00000045 mov esi, dword ptr [edi+00000800h] 0x0000004b jmp 00007F46848E3042h 0x0000004d fnop 0x0000004f mov dword ptr [eax+18h], esi 0x00000052 add esi, dword ptr [edi+00000850h] 0x00000058 mov dword ptr [eax+1Ch], esi 0x0000005b jmp 00007F46848E3042h 0x0000005d pushad 0x0000005e rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000100243D second address: 00000000010024DF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F46849B7C92h 0x0000000c cmp ax, 0000D992h 0x00000010 test edx, ecx 0x00000012 cmp dword ptr [ebp+70h], 01h 0x00000016 je 00007F46849B7DFCh 0x0000001c mov esi, edi 0x0000001e add esi, 00001000h 0x00000024 xor ecx, ecx 0x00000026 push ecx 0x00000027 jmp 00007F46849B7C92h 0x00000029 test dx, dx 0x0000002c push edi 0x0000002d mov eax, ebp 0x0000002f add eax, 0000009Ch 0x00000034 push eax 0x00000035 call 00007F46849B8315h 0x0000003a jmp 00007F46849B7C92h 0x0000003c jmp 00007F46849B7C9Ah 0x0000003e test ch, ch 0x00000040 cmp dword ptr [esi+24h], E0000020h 0x00000047 je 00007F46849B7D54h 0x0000004d cmp dword ptr [esi+24h], 60000020h 0x00000054 je 00007F46849B7DC3h 0x0000005a mov ebx, 00000020h 0x0000005f jmp 00007F46849B7C96h 0x00000061 ret 0x00000062 push ebx 0x00000063 jmp 00007F46849B7C92h 0x00000065 cmp ah, ch 0x00000067 mov eax, esi 0x00000069 jmp 00007F46849B7C92h 0x0000006b fnop 0x0000006d add eax, 08h 0x00000070 push eax 0x00000071 mov eax, dword ptr [edi+00000800h] 0x00000077 jmp 00007F46849B7C92h 0x00000079 pushad 0x0000007a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000010024DF second address: 00000000010024DF instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001002599 second address: 0000000001002599 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 12_2_010074F1 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5400	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6624	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 12_2_200A11C2 GetSystemInfo,

Source: RegAsm.exe, 0000000C.00000002.502925857.0000000020650000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe	Binary or memory string: u-ga\qemu-ga.exe
Source: RegAsm.exe, 0000000C.00000002.502925857.0000000020650000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 0000000C.00000002.502925857.0000000020650000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 0000000C.00000002.502925857.0000000020650000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\3Fv4j323nj.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\3Fv4j323nj.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 12_2_010074F1 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 12_2_01004A0D LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01005D79 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01005851 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006852 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006888 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_01006899 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010068C1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010068D5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010037B7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_010037BD mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\3Fv4j323nj.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1000000

Source: C:\Users\user\Desktop\3Fv4j323nj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\3Fv4j323nj.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE7FA.tmp'

Source: RegAsm.exe, 0000000C.00000002.499790229.000000001DE11000.00000004.00000001.sdmp, filename1.exe, 0000001D.00000002.485586351.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000C.00000002.485410542.0000000001950000.00000002.00000001.sdmp, filename1.exe, 0000001D.00000002.485586351.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000C.00000002.502583683.00000000200C5000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exeh
Source: RegAsm.exe, 0000000C.00000002.485410542.0000000001950000.00000002.00000001.sdmp, filename1.exe, 0000001D.00000002.485586351.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000C.00000002.485410542.0000000001950000.00000002.00000001.sdmp, filename1.exe, 0000001D.00000002.485586351.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegAsm.exe, 0000000C.00000002.502583683.00000000200C5000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 12_2_01002FD2 cpuid

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY
Source: Yara match	File source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegAsm.exe, 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY
Source: Yara match	File source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_200A28F6 bind,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 12_2_200A28C3 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	Input Capture11	Security Software Discovery621	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder1	Process Injection112	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	DLL Side-Loading1	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Access Token Manipulation1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	DLL Side-Loading1	Process Injection112	LSA Secrets	System Information Discovery313	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3Fv4j323nj.exe	13%	Virustotal		Browse
3Fv4j323nj.exe	6%	ReversingLabs	Win32.Infostealer.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Virustotal		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\subfolder1\filename1.exe	7%	ReversingLabs	Win32.Infostealer.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
12.2.RegAsm.exe.20790000.10.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
194.5.98.182	0%	Virustotal		Browse
194.5.98.182	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onedrive.live.com	unknown	unknown	false		high
cbavwq.bl.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
194.5.98.182	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21106&authkey=AHaSu1X	RegAsm.exe, RegAsm.exe, 0000000C.00000002.482199109.0000000001002000.00000040.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.182	unknown	Netherlands		208476	DANILENKODE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357177
Start date:	24.02.2021
Start time:	09:17:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 45s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	3Fv4j323nj.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/11@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 79.1% (good quality ratio 35.3%) Quality average: 22.8% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 131.253.33.200, 13.107.22.200, 184.30.21.219, 92.122.145.220, 168.61.161.212, 104.43.139.144, 184.30.20.56, 13.88.21.125, 40.88.32.150, 2.20.142.209, 2.20.142.210, 51.103.5.159, 51.104.139.180, 104.42.151.234, 13.107.42.13, 13.107.42.12, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, odc-web-brs.onedrive.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, l-0004.l-msedge.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, odc-bl-files-brs.onedrive.akadns.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, odc-bl-files-geo.onedrive.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:19:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
09:19:41	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" s>$(Arg0)
09:19:41	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
09:19:41	API Interceptor	167x Sleep call for process: RegAsm.exe modified
09:19:47	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
09:19:55	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.98.182	PO AAN2102002-V020.doc	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	scan09e8902093922023ce.exe	Get hash	malicious	Browse	194.5.98.46
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	194.5.98.182
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	194.5.98.202
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	Orderoffer.exe	Get hash	malicious	Browse	194.5.98.66
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	OrderSuppliesQuote0817916.exe	Get hash	malicious	Browse	194.5.97.248
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	194.5.97.244
	QuotationInvoices.exe	Get hash	malicious	Browse	194.5.97.248
	PAYMENT_.EXE	Get hash	malicious	Browse	194.5.98.211
	payment.exe	Get hash	malicious	Browse	194.5.98.66
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	194.5.98.21
	Slip copy .xls.exe	Get hash	malicious	Browse	194.5.97.116
	Scan0059.pdf.exe	Get hash	malicious	Browse	194.5.97.34
	DHL AWB # 6008824216.png.exe	Get hash	malicious	Browse	194.5.97.48
	Scan0019.exe	Get hash	malicious	Browse	194.5.97.34
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	194.5.97.248
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Hk6Im7DPON.exe	Get hash	malicious	Browse	194.5.98.107

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	SecuriteInfo.com.Variant.Razy.845229.13077.exe	Get hash	malicious	Browse
	document.exe	Get hash	malicious	Browse
	w0JlVAbpIT.exe	Get hash	malicious	Browse
	Bjdl7RO0K8.exe	Get hash	malicious	Browse
	4hW0TZqN01.exe	Get hash	malicious	Browse
	d4e475d7d17a16be8b9eeac6e10b25af.exe	Get hash	malicious	Browse
	e5bd3238d220c97cd4d6969abb3b33e0.exe	Get hash	malicious	Browse
	1c2dec9cbfcd95afe13bf71910fdf95f.exe	Get hash	malicious	Browse
	Xf6v0G2wIM.exe	Get hash	malicious	Browse
	jztWD1iKrC.exe	Get hash	malicious	Browse
	wH22vdkhhU.exe	Get hash	malicious	Browse
	AqpOn6nwXS.exe	Get hash	malicious	Browse
	CklrD7MYX2.exe	Get hash	malicious	Browse
	FahZG6Pdc4.exe	Get hash	malicious	Browse
	61WlCsQR9Q.exe	Get hash	malicious	Browse
	U7DiqWP9qu.exe	Get hash	malicious	Browse
	d4x5rI09A7.exe	Get hash	malicious	Browse
	1WW425NrsA.exe	Get hash	malicious	Browse
	Kyd6mztyQ5.exe	Get hash	malicious	Browse
	xdNg7FUNS2.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.490095782293901
Encrypted:	false
SSDEEP:	768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
MD5:	529695608EAFBED00ACA9E61EF333A7C
SHA1:	68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
SHA-256:	44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
SHA-512:	8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Variant.Razy.845229.13077.exe, Detection: malicious, Browse Filename: document.exe, Detection: malicious, Browse Filename: w0JlVAbpIT.exe, Detection: malicious, Browse Filename: Bjdl7RO0K8.exe, Detection: malicious, Browse Filename: 4hW0TZqN01.exe, Detection: malicious, Browse Filename: d4e475d7d17a16be8b9eeac6e10b25af.exe, Detection: malicious, Browse Filename: e5bd3238d220c97cd4d6969abb3b33e0.exe, Detection: malicious, Browse Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse Filename: jztWD1iKrC.exe, Detection: malicious, Browse Filename: wH22vdkhhU.exe, Detection: malicious, Browse Filename: AqpOn6nwXS.exe, Detection: malicious, Browse Filename: CklrD7MYX2.exe, Detection: malicious, Browse Filename: FahZG6Pdc4.exe, Detection: malicious, Browse Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse Filename: U7DiqWP9qu.exe, Detection: malicious, Browse Filename: d4x5rI09A7.exe, Detection: malicious, Browse Filename: 1WW425NrsA.exe, Detection: malicious, Browse Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse Filename: xdNg7FUNS2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	true
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	false
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.133606110275315
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
MD5:	C6F0625BF4C1CDFB699980C9243D3B22
SHA1:	43DE1FE580576935516327F17B5DA0C656C72851
SHA-256:	8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
SHA-512:	9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpE7FA.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:EF:EF
MD5:	6E49A312690E315F4BC2BA43AF4030EC
SHA1:	9A9D72CD8DEE34F0255903E39783F6B8FAB4D319
SHA-256:	5F595A3E8DD84AE806A7D2D31169D6C698FFB74CE24CCC14B2549030E1D6BAC3
SHA-512:	AD53023FF9C31AF49E313DCE09A7E7338EAAE29DFF44A7B963F82FAA7DC679393DE3AD1C079C343EED743E33DB3B7BD00F98004542336F8C02F71554DDD6A2F5
Malicious:	true
Preview:	...^...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.787365359936823
Encrypted:	false
SSDEEP:	3:oMty8WbSXgL4A:oMLWuQL4A
MD5:	EFD1636CFC3CC38FD7BABAE5CAC9EDE0
SHA1:	4D7D378ABEB682EEFBD039930C0EA996FBF54178
SHA-256:	F827D5B11C1EB3902D601C3E0B59BA32FE11C0B573FBF22FB2AF86BFD4651BBA
SHA-512:	69B2B0AB1A6E13395EF52DCB903B8E17D842E6D0D44F801FF2659CFD5EC343C8CC57928B02961FC7099AD43FF05633BAF5AC39042A00C8676D4FA8F6F8C2A5D7
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

C:\Users\user\subfolder1\filename1.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	4.85840802848053
Encrypted:	false
SSDEEP:	3072:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHNlyCI2jnyIa3MAB+f/FwGIt1KFzOn1k4H:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHs
MD5:	ACFCBD916FA04787E4388B339592DD78
SHA1:	F2A572347C81B71C3A59F00A37F68DB698715460
SHA-256:	EDE5C7B0267F4801A7BEBB22A18035923E71A476CEB3B9D94F582AA199DEB3F0
SHA-512:	23B895AD239AC48726A1446299E4534E496BB891530CB11E3764FB871F5F5097B12CCE346FDBCFE4A1C31D46F31A25CE407B17D6AB1A141BEEF9613E92DA817E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....$T.................P...................`....@.........................................................................TY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1010
Entropy (8bit):	4.298581893109255
Encrypted:	false
SSDEEP:	24:zKTDwL/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zKTDwAXZxo4ABV+SrUYE
MD5:	367EEEC425FE7E80B723298C447E2F22
SHA1:	3873DFC88AF504FF79231FE2BF0E3CD93CE45195
SHA-256:	481A7A3CA0DD32DA4772718BA4C1EF3F01E8D184FE82CF6E9C5386FD343264BC
SHA-512:	F7101541D87F045E9DBC45941CDC5A7F97F3EFC29AC0AF2710FC24FA64F0163F9463DE373A5D2BE1270126829DE81006FB8E764186374966E8D0E9BB35B7D7D6
Malicious:	false
Preview:	Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.85840802848053
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3Fv4j323nj.exe
File size:	131072
MD5:	acfcbd916fa04787e4388b339592dd78
SHA1:	f2a572347c81b71c3a59f00a37f68db698715460
SHA256:	ede5c7b0267f4801a7bebb22a18035923e71a476ceb3b9d94f582aa199deb3f0
SHA512:	23b895ad239ac48726a1446299e4534e496bb891530cb11e3764fb871f5f5097b12cce346fdbcfe4a1c31d46f31a25ce407b17d6ab1a141beef9613e92da817e
SSDEEP:	3072:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHNlyCI2jnyIa3MAB+f/FwGIt1KFzOn1k4H:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L.....$T.................P...................`....@................

File Icon


Icon Hash:	01d292796dda0080

Static PE Info

General
Entrypoint:	0x4013dc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5424AED4 [Fri Sep 26 00:09:56 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cc882d101998a701353b40b0cd8c341a

Entrypoint Preview

Instruction
push 00412774h
call 00007F4684C461D3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-61h], dl
sub dword ptr [edx+ebx*8], ebx
or al, 66h
dec esi
mov eax, 1FB77221h
sbb cl, byte ptr [ecx+2Eh]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec ebp
inc ecx
inc edi
dec ecx
push ebx
push esp
inc ebp
push edx
add byte ptr [eax], al
add byte ptr [eax], al
jecxz 00007F4684C461EFh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add al, C9h
pop ecx
and ch, cl
hlt
pushad
out 43h, al
mov ch, 90h
fdiv qword ptr [edi-37F9A4A3h]
inc ebx
imul ebx, dword ptr [ebx+eax*4+04h], B74A52B6h
adc dh, byte ptr [ebx-52h]
mov dh, A6h
mov byte ptr [eax+33AD4F3Ah], FFFFFF99h
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xchg eax, ebp
adc al, byte ptr [ecx]
add byte ptr [esi+0000007Fh], dl
pop es
add byte ptr [ecx+67h], cl
outsb
aaa
add byte ptr [66000801h], cl
insb
insb
popad
bound ebp, dword ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15954	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x83d6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xe0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14d84	0x15000	False	0.395542689732	data	5.53569539518	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0xa18	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x83d6	0x9000	False	0.340196397569	data	3.52970620397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x1f2ae	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x1dc86	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 4608, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1bfde	0x1ca8	data
RT_ICON	0x1b336	0xca8	data
RT_ICON	0x1afce	0x368	GLS_BINARY_LSB_FIRST
RT_ICON	0x18a26	0x25a8	data
RT_ICON	0x1797e	0x10a8	data
RT_ICON	0x17516	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x174a0	0x76	data
RT_VERSION	0x17240	0x260	data

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0000 0x04b0
InternalName	trenchlet
FileVersion	1.00
CompanyName	Sinth Radio
ProductName	Sinth Radio
ProductVersion	1.00
FileDescription	Sinth Radio
OriginalFilename	trenchlet.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 09:19:41.300220966 CET	49743	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:41.379900932 CET	3765	49743	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:41.881926060 CET	49743	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:41.961496115 CET	3765	49743	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:42.475744963 CET	49743	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:42.558160067 CET	3765	49743	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:46.663628101 CET	49744	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:46.731425047 CET	3765	49744	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:47.241864920 CET	49744	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:47.310600996 CET	3765	49744	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:47.851201057 CET	49744	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:47.918890953 CET	3765	49744	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:51.932102919 CET	49745	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:51.999983072 CET	3765	49745	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:52.554655075 CET	49745	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:52.624054909 CET	3765	49745	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:53.242300034 CET	49745	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:53.311188936 CET	3765	49745	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:57.352601051 CET	49746	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:57.420849085 CET	3765	49746	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:58.055802107 CET	49746	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:58.123481989 CET	3765	49746	194.5.98.182	192.168.2.3
Feb 24, 2021 09:19:58.742737055 CET	49746	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:19:58.810707092 CET	3765	49746	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:02.888335943 CET	49750	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:02.957760096 CET	3765	49750	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:03.556118011 CET	49750	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:03.623994112 CET	3765	49750	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:04.244697094 CET	49750	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:04.312689066 CET	3765	49750	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:08.332813025 CET	49751	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:08.412843943 CET	3765	49751	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:09.056123972 CET	49751	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:09.135972977 CET	3765	49751	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:09.743658066 CET	49751	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:09.825552940 CET	3765	49751	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:13.889895916 CET	49752	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:13.957961082 CET	3765	49752	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:14.556612968 CET	49752	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:14.624669075 CET	3765	49752	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:15.244081974 CET	49752	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:15.312050104 CET	3765	49752	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:19.327959061 CET	49753	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:19.397562027 CET	3765	49753	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:20.057024956 CET	49753	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:20.127264977 CET	3765	49753	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:20.744601965 CET	49753	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:20.812661886 CET	3765	49753	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:24.866000891 CET	49754	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:24.945856094 CET	3765	49754	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:25.557502031 CET	49754	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:25.637367010 CET	3765	49754	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:26.151344061 CET	49754	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:26.231223106 CET	3765	49754	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:30.285603046 CET	49755	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:30.353274107 CET	3765	49755	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:30.854815960 CET	49755	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:30.923059940 CET	3765	49755	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:31.558011055 CET	49755	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:31.626044989 CET	3765	49755	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:35.653356075 CET	49756	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:35.721105099 CET	3765	49756	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:36.245901108 CET	49756	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:36.315162897 CET	3765	49756	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:36.855320930 CET	49756	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:36.923559904 CET	3765	49756	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:40.971987009 CET	49757	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:41.051913023 CET	3765	49757	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:41.558893919 CET	49757	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:41.639123917 CET	3765	49757	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:42.246387005 CET	49757	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:42.326005936 CET	3765	49757	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:46.366910934 CET	49758	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:46.446589947 CET	3765	49758	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:47.052978039 CET	49758	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:47.133605003 CET	3765	49758	194.5.98.182	192.168.2.3
Feb 24, 2021 09:20:47.746603966 CET	49758	3765	192.168.2.3	194.5.98.182
Feb 24, 2021 09:20:47.827811956 CET	3765	49758	194.5.98.182	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 09:17:48.956769943 CET	51281	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:48.980241060 CET	49199	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:49.011619091 CET	53	51281	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:49.034463882 CET	53	49199	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:49.705398083 CET	50620	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:49.766128063 CET	53	50620	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:50.123684883 CET	64938	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:50.175513029 CET	53	64938	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:51.459873915 CET	60152	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:51.511327028 CET	53	60152	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:51.698739052 CET	57544	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:51.757580042 CET	53	57544	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:52.751905918 CET	55984	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:52.803951979 CET	53	55984	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:54.673037052 CET	64185	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:54.724788904 CET	53	64185	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:56.019535065 CET	65110	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:56.073129892 CET	53	65110	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:57.311530113 CET	58361	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:57.360574961 CET	53	58361	8.8.8.8	192.168.2.3
Feb 24, 2021 09:17:59.473475933 CET	63492	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:17:59.523004055 CET	53	63492	8.8.8.8	192.168.2.3
Feb 24, 2021 09:18:00.629548073 CET	60831	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:18:00.681612015 CET	53	60831	8.8.8.8	192.168.2.3
Feb 24, 2021 09:18:22.192106009 CET	60100	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:18:22.251553059 CET	53	60100	8.8.8.8	192.168.2.3
Feb 24, 2021 09:18:36.506161928 CET	53195	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:18:36.555207014 CET	53	53195	8.8.8.8	192.168.2.3
Feb 24, 2021 09:18:37.859616995 CET	50141	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:18:37.908946037 CET	53	50141	8.8.8.8	192.168.2.3
Feb 24, 2021 09:18:38.950968981 CET	53023	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:18:39.000190973 CET	53	53023	8.8.8.8	192.168.2.3
Feb 24, 2021 09:18:40.336797953 CET	49563	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:18:40.388636112 CET	53	49563	8.8.8.8	192.168.2.3
Feb 24, 2021 09:18:42.263293982 CET	51352	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:18:42.326663017 CET	53	51352	8.8.8.8	192.168.2.3
Feb 24, 2021 09:18:43.296252966 CET	59349	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:18:43.347326040 CET	53	59349	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:03.862909079 CET	57084	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:03.911844015 CET	53	57084	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:07.624607086 CET	58823	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:07.687391043 CET	53	58823	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:13.906763077 CET	57568	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:13.955673933 CET	53	57568	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:15.050631046 CET	50540	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:15.109963894 CET	53	50540	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:16.576379061 CET	54366	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:16.625118971 CET	53	54366	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:17.980823040 CET	53034	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:18.052654028 CET	53	53034	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:36.900980949 CET	57762	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:36.952677965 CET	53	57762	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:37.573504925 CET	55435	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:37.661463976 CET	53	55435	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:39.585629940 CET	50713	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:39.637490988 CET	53	50713	8.8.8.8	192.168.2.3
Feb 24, 2021 09:19:57.256592989 CET	56132	53	192.168.2.3	8.8.8.8
Feb 24, 2021 09:19:57.318309069 CET	53	56132	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 09:19:36.900980949 CET	192.168.2.3	8.8.8.8	0xa4b6	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Feb 24, 2021 09:19:37.573504925 CET	192.168.2.3	8.8.8.8	0xbee7	Standard query (0)	cbavwq.bl.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Feb 24, 2021 09:19:36.952677965 CET	8.8.8.8	192.168.2.3	0xa4b6	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 09:19:37.661463976 CET	8.8.8.8	192.168.2.3	0xbee7	No error (0)	cbavwq.bl.files.1drv.com	bl-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 09:19:37.661463976 CET	8.8.8.8	192.168.2.3	0xbee7	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 3Fv4j323nj.exe PID: 6520 Parent PID: 5724

General

Start time:	09:17:58
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\3Fv4j323nj.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\3Fv4j323nj.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	ACFCBD916FA04787E4388B339592DD78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 808 Parent PID: 6520

General

Start time:	09:19:21
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\3Fv4j323nj.exe'
Imagebase:	0xc30000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000C.00000002.482199109.0000000001002000.00000040.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: conhost.exe PID: 1748 Parent PID: 808

General

Start time:	09:19:22
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 4800 Parent PID: 808

General

Start time:	09:19:39
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp'
Imagebase:	0x1b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 3728 Parent PID: 4800

General

Start time:	09:19:40
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 5364 Parent PID: 808

General

Start time:	09:19:40
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE7FA.tmp'
Imagebase:	0x1b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5384 Parent PID: 5364

General

Start time:	09:19:40
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exe PID: 5344 Parent PID: 528

General

Start time:	09:19:41
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Imagebase:	0x80000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 5412 Parent PID: 5344

General

Start time:	09:19:41
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exe PID: 2156 Parent PID: 528

General

Start time:	09:19:41
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x6c0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Analysis Process: conhost.exe PID: 4000 Parent PID: 2156

General

Start time:	09:19:41
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: filename1.exe PID: 5044 Parent PID: 3388

General

Start time:	09:19:47
Start date:	24/02/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	ACFCBD916FA04787E4388B339592DD78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 7%, ReversingLabs
Reputation:	low

Analysis Process: dhcpmon.exe PID: 5736 Parent PID: 3388

General

Start time:	09:19:55
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x10000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 1264 Parent PID: 5736

General

Start time:	09:19:55
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 3Fv4j323nj.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre