Analysis Report V33QokMrIv.exe

Overview

General Information

Sample Name: V33QokMrIv.exe
Analysis ID: 357184
MD5: e18dbe57194dd717d54a907ba8e6d3e1
SHA1: 76bacc8c5fbbf675399c39c42565dfc3d77be98b
SHA256: b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Yara detected Nanocore RAT
Source: Yara match File source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Source: Yara match File source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

Compliance:

barindex
Uses 32bit PE files
Source: V33QokMrIv.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbxe2b source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.15.dr
Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 194.5.98.202:4488
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 194.5.98.202:4488
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 194.5.98.202:4488
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 194.5.98.202:4488
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: 194.5.98.202
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49766 -> 194.5.98.202:4488
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp String found in binary or memory: https://ibkebw.dm.files.1drv.com/
Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp String found in binary or memory: https://ibkebw.dm.files.1drv.com/Jep
Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp, RegAsm.exe, 0000000F.00000002.1191919663.00000000014FB000.00000004.00000020.sdmp String found in binary or memory: https://ibkebw.dm.files.1drv.com/y4m_7vjlVAP2dktIZ7ToWB_X8Tx5mpxc0CHqB4Dc4Xc8QJNrWia8ZAB0h8vRJGCEryL
Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P
Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/zZm

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: RegAsm.exe, 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Source: Yara match File source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\V33QokMrIv.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\subfolder1\filename1.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_0100723F NtProtectVirtualMemory, 15_2_0100723F
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 22_2_049101B7 22_2_049101B7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 24_2_050101B7 24_2_050101B7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 27_2_049A01C8 27_2_049A01C8
PE file contains strange resources
Source: V33QokMrIv.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: V33QokMrIv.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: V33QokMrIv.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: V33QokMrIv.exe, 00000000.00000000.646684744.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKARAKTERISTIKONS.exe vs V33QokMrIv.exe
Source: V33QokMrIv.exe Binary or memory string: OriginalFilenameKARAKTERISTIKONS.exe vs V33QokMrIv.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: V33QokMrIv.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.evad.winEXE@19/12@2/1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{92421eeb-c456-44c2-ab8d-5a66d7e5ab97}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
Source: C:\Users\user\Desktop\V33QokMrIv.exe File created: C:\Users\user\AppData\Local\Temp\~DF65C51E8A0EADE8B5.TMP Jump to behavior
Source: V33QokMrIv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\V33QokMrIv.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\V33QokMrIv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\V33QokMrIv.exe 'C:\Users\user\Desktop\V33QokMrIv.exe'
Source: unknown Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\V33QokMrIv.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\Desktop\V33QokMrIv.exe Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbxe2b source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.15.dr
Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01007101 push cs; ret 15_2_01007104
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006105 push cs; ret 15_2_01006108
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01004109 push cs; ret 15_2_0100410C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01003109 push cs; ret 15_2_0100310C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01007111 push cs; ret 15_2_01007114
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01007125 push cs; ret 15_2_01007128
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_0100612D push cs; ret 15_2_01006130
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01004135 push cs; ret 15_2_01004138
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_0100713D push cs; ret 15_2_01007140
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006141 push cs; ret 15_2_01006144
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_0100614F push cs; ret 15_2_01006150
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006159 push cs; ret 15_2_0100615C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01007171 push cs; ret 15_2_01007174
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006175 push cs; ret 15_2_01006178
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01003179 push cs; ret 15_2_0100317C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006185 push cs; ret 15_2_01006188
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_0100718D push cs; ret 15_2_01007190
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006199 push cs; ret 15_2_0100619C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010061A9 push cs; ret 15_2_010061AC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010031B5 push cs; ret 15_2_010031B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010061B5 push cs; ret 15_2_010061B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010071B5 push cs; ret 15_2_010071B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010071D1 push cs; ret 15_2_010071D4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010061D5 push cs; ret 15_2_010061D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010031E5 push cs; ret 15_2_010031E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010041ED push cs; ret 15_2_010041F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010041F1 push FFFFFF84h; ret 15_2_010041F7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010071F5 push cs; ret 15_2_010071F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010041FD push cs; ret 15_2_01004200
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010061FF push cs; ret 15_2_01006200
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006001 push cs; ret 15_2_01006004

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1\filename1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\V33QokMrIv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V33QokMrIv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V33QokMrIv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000626160 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FCC9C394612h 0x0000000c fnop 0x0000000e jmp 00007FCC9C394612h 0x00000010 test dl, FFFFFF9Ch 0x00000013 jmp 00007FCC9C394612h 0x00000015 test bl, bl 0x00000017 jmp 00007FCC9C394612h 0x00000019 pushad 0x0000001a mov bl, ACh 0x0000001c cmp bl, FFFFFFACh 0x0000001f jne 00007FCC9C391E83h 0x00000025 popad 0x00000026 mov eax, 00000539h 0x0000002b jmp 00007FCC9C394612h 0x0000002d cmp bx, F525h 0x00000032 mov ecx, dword ptr [ebp+1Ch] 0x00000035 mov edx, 8802EDACh 0x0000003a call 00007FCC9C393F5Fh 0x0000003f push esi 0x00000040 push edx 0x00000041 push ecx 0x00000042 jmp 00007FCC9C394612h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000623B7D second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c test bx, ax 0x0000000f mov ecx, 00A95F60h 0x00000014 push ecx 0x00000015 jmp 00007FCC9CA33912h 0x00000017 pushad 0x00000018 mov al, 1Eh 0x0000001a cmp al, 1Eh 0x0000001c jne 00007FCC9CA33799h 0x00000022 popad 0x00000023 call 00007FCC9CA33959h 0x00000028 call 00007FCC9CA33918h 0x0000002d lfence 0x00000030 mov edx, dword ptr [7FFE0014h] 0x00000036 lfence 0x00000039 ret 0x0000003a mov esi, edx 0x0000003c pushad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000623C11 second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FCC9C394608h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FCC9C394612h 0x00000020 test dx, cx 0x00000023 add edi, edx 0x00000025 jmp 00007FCC9C394612h 0x00000027 test bh, ah 0x00000029 dec ecx 0x0000002a cmp eax, ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007FCC9C3945AAh 0x00000031 push ecx 0x00000032 jmp 00007FCC9C394612h 0x00000034 pushad 0x00000035 mov al, 1Eh 0x00000037 cmp al, 1Eh 0x00000039 jne 00007FCC9C394499h 0x0000003f popad 0x00000040 call 00007FCC9C394659h 0x00000045 call 00007FCC9C394618h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000624994 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+1Ch] 0x0000000d jmp 00007FCC9C394612h 0x0000000f test ecx, 0CA7638Eh 0x00000015 mov edx, 8B8E133Dh 0x0000001a test ebx, eax 0x0000001c call 00007FCC9C395789h 0x00000021 push esi 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FCC9C394612h 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000624C68 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FCC9CA347D7h 0x0000000f push esi 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FCC9CA33912h 0x00000014 pushad 0x00000015 lfence 0x00000018 rdtsc
Tries to detect Any.run
Source: C:\Users\user\Desktop\V33QokMrIv.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\V33QokMrIv.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000626160 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FCC9C394612h 0x0000000c fnop 0x0000000e jmp 00007FCC9C394612h 0x00000010 test dl, FFFFFF9Ch 0x00000013 jmp 00007FCC9C394612h 0x00000015 test bl, bl 0x00000017 jmp 00007FCC9C394612h 0x00000019 pushad 0x0000001a mov bl, ACh 0x0000001c cmp bl, FFFFFFACh 0x0000001f jne 00007FCC9C391E83h 0x00000025 popad 0x00000026 mov eax, 00000539h 0x0000002b jmp 00007FCC9C394612h 0x0000002d cmp bx, F525h 0x00000032 mov ecx, dword ptr [ebp+1Ch] 0x00000035 mov edx, 8802EDACh 0x0000003a call 00007FCC9C393F5Fh 0x0000003f push esi 0x00000040 push edx 0x00000041 push ecx 0x00000042 jmp 00007FCC9C394612h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000623B7D second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c test bx, ax 0x0000000f mov ecx, 00A95F60h 0x00000014 push ecx 0x00000015 jmp 00007FCC9CA33912h 0x00000017 pushad 0x00000018 mov al, 1Eh 0x0000001a cmp al, 1Eh 0x0000001c jne 00007FCC9CA33799h 0x00000022 popad 0x00000023 call 00007FCC9CA33959h 0x00000028 call 00007FCC9CA33918h 0x0000002d lfence 0x00000030 mov edx, dword ptr [7FFE0014h] 0x00000036 lfence 0x00000039 ret 0x0000003a mov esi, edx 0x0000003c pushad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000623C11 second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FCC9C394608h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FCC9C394612h 0x00000020 test dx, cx 0x00000023 add edi, edx 0x00000025 jmp 00007FCC9C394612h 0x00000027 test bh, ah 0x00000029 dec ecx 0x0000002a cmp eax, ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007FCC9C3945AAh 0x00000031 push ecx 0x00000032 jmp 00007FCC9C394612h 0x00000034 pushad 0x00000035 mov al, 1Eh 0x00000037 cmp al, 1Eh 0x00000039 jne 00007FCC9C394499h 0x0000003f popad 0x00000040 call 00007FCC9C394659h 0x00000045 call 00007FCC9C394618h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000623EAA second address: 0000000000623EAA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FCC9CA35FE6h 0x0000001d popad 0x0000001e call 00007FCC9CA33971h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000624994 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+1Ch] 0x0000000d jmp 00007FCC9C394612h 0x0000000f test ecx, 0CA7638Eh 0x00000015 mov edx, 8B8E133Dh 0x0000001a test ebx, eax 0x0000001c call 00007FCC9C395789h 0x00000021 push esi 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FCC9C394612h 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000624C68 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FCC9CA347D7h 0x0000000f push esi 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FCC9CA33912h 0x00000014 pushad 0x00000015 lfence 0x00000018 rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe RDTSC instruction interceptor: First address: 0000000000625860 second address: 00000000006259B9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007FCC9C394612h 0x0000000e test edx, eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push dword ptr [ebp+00000110h] 0x00000018 call 00007FCC9C394713h 0x0000001d mov ecx, dword ptr [esp+0Ch] 0x00000021 mov edx, dword ptr [esp+08h] 0x00000025 jmp 00007FCC9C394612h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001003EAA second address: 0000000001003EAA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FCC9CA35FE6h 0x0000001d popad 0x0000001e call 00007FCC9CA33971h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001001FFF second address: 00000000010059B9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [edi+00000818h], eax 0x00000011 jmp 00007FCC9C394612h 0x00000013 test bh, dh 0x00000015 mov ebx, dword ptr [edi+3Ch] 0x00000018 add ebx, 000000F8h 0x0000001e mov dword ptr [edi+00000810h], ebx 0x00000024 mov esi, edi 0x00000026 jmp 00007FCC9C394612h 0x00000028 cmp cx, AB77h 0x0000002d add esi, 00001000h 0x00000033 xor edx, edx 0x00000035 push edx 0x00000036 push ebx 0x00000037 push 00000028h 0x00000039 jmp 00007FCC9C394612h 0x0000003b cmp bl, al 0x0000003d mov eax, dword ptr [ebp+20h] 0x00000040 add eax, ebx 0x00000042 push eax 0x00000043 test ax, cx 0x00000046 push esi 0x00000047 call 00007FCC9C397F25h 0x0000004c mov ecx, dword ptr [esp+0Ch] 0x00000050 mov edx, dword ptr [esp+08h] 0x00000054 jmp 00007FCC9C394612h 0x00000056 pushad 0x00000057 lfence 0x0000005a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000010022AC second address: 00000000010059B9 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+10h], 00000000h 0x0000000a mov dword ptr [ebp+14h], 00000000h 0x00000011 cmp dword ptr [edi+00000814h], 00000000h 0x00000018 je 00007FCC9CA33B5Eh 0x0000001e jmp 00007FCC9CA33912h 0x00000020 cmp bl, al 0x00000022 test ax, cx 0x00000025 jmp 00007FCC9CA33912h 0x00000027 pushad 0x00000028 mov bx, 1417h 0x0000002c cmp bx, 1417h 0x00000031 jne 00007FCC9CA31BADh 0x00000037 popad 0x00000038 test dh, ch 0x0000003a push ecx 0x0000003b cmp edx, edx 0x0000003d mov esi, dword ptr [edi+00000814h] 0x00000043 mov eax, dword ptr [edi+00000800h] 0x00000049 add eax, esi 0x0000004b add eax, ecx 0x0000004d push 00000014h 0x0000004f push eax 0x00000050 mov ebx, edi 0x00000052 add ebx, 00000C00h 0x00000058 push ebx 0x00000059 call 00007FCC9CA36F76h 0x0000005e mov ecx, dword ptr [esp+0Ch] 0x00000062 mov edx, dword ptr [esp+08h] 0x00000066 jmp 00007FCC9CA33912h 0x00000068 pushad 0x00000069 lfence 0x0000006c rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01002990 rdtsc 15_2_01002990
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Window / User API: foregroundWindowGot 556 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5808 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6148 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6376 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6820 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RegAsm.exe, 0000000F.00000002.1191919663.00000000014FB000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000000F.00000002.1191908435.00000000014F0000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWen-USn
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\V33QokMrIv.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\V33QokMrIv.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01002990 rdtsc 15_2_01002990
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01004DA1 LdrInitializeThunk, 15_2_01004DA1
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006010 mov eax, dword ptr fs:[00000030h] 15_2_01006010
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010039D3 mov eax, dword ptr fs:[00000030h] 15_2_010039D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010039F5 mov eax, dword ptr fs:[00000030h] 15_2_010039F5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006B11 mov eax, dword ptr fs:[00000030h] 15_2_01006B11
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006B25 mov eax, dword ptr fs:[00000030h] 15_2_01006B25
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01005A40 mov eax, dword ptr fs:[00000030h] 15_2_01005A40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006AB7 mov eax, dword ptr fs:[00000030h] 15_2_01006AB7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006AC9 mov eax, dword ptr fs:[00000030h] 15_2_01006AC9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_01006AF1 mov eax, dword ptr fs:[00000030h] 15_2_01006AF1
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\V33QokMrIv.exe Memory written: C:\Windows\System32\taskhostw.exe base: 1000000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\V33QokMrIv.exe Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp' Jump to behavior
Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: RegAsm.exe, 0000000F.00000002.1191997352.000000000158D000.00000004.00000001.sdmp Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_010029AD cpuid 15_2_010029AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Source: Yara match File source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: RegAsm.exe, 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000F.00000002.1213259233.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Source: Yara match File source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357184 Sample: V33QokMrIv.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 8 other signatures 2->63 8 V33QokMrIv.exe 1 2->8         started        11 RegAsm.exe 4 2->11         started        14 dhcpmon.exe 4 2->14         started        16 3 other processes 2->16 process3 file4 73 Writes to foreign memory regions 8->73 75 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->75 77 Tries to detect Any.run 8->77 79 2 other signatures 8->79 18 RegAsm.exe 2 23 8->18         started        23 taskhostw.exe 8->23         started        49 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 11->49 dropped 25 conhost.exe 11->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 51 194.5.98.202, 4488, 49766, 49767 DANILENKODE Netherlands 18->51 53 onedrive.live.com 18->53 55 2 other IPs or domains 18->55 41 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmp7CFF.tmp, XML 18->43 dropped 45 C:\Users\user\subfolder1\filename1.exe, PE32 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 65 Tries to detect Any.run 18->65 67 Tries to detect virtualization through RDTSC time measurements 18->67 69 Hides threads from debuggers 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 31 schtasks.exe 1 23->31         started        33 schtasks.exe 1 23->33         started        35 conhost.exe 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.98.202
 unknown Netherlands
208476 DANILENKODE true

Contacted Domains

Name IP Active
onedrive.live.com unknown unknown
ibkebw.dm.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
194.5.98.202 true
  • Avira URL Cloud: safe
 unknown