Loading ...

Play interactive tourEdit tour

Analysis Report CU3e1CWzlr.exe

Overview

General Information

Sample Name:CU3e1CWzlr.exe
Analysis ID:383199
MD5:bc906f26edfec13cdb13d8a6b97f344b
SHA1:33933248690d87f77693865e7393395ec2ea3792
SHA256:23ac7754b6ad5fc382857b05ad514a716cd3dcf861867d3be02a5a92ca7fe067
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CU3e1CWzlr.exe (PID: 6072 cmdline: 'C:\Users\user\Desktop\CU3e1CWzlr.exe' MD5: BC906F26EDFEC13CDB13D8A6B97F344B)
    • cmd.exe (PID: 6240 cmdline: C:\Windows\system32\cmd.exe /c ''C:\1.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Quotation.sfx.exe (PID: 6312 cmdline: Quotation.sfx.exe -p123 dc:\ MD5: 9C30B408BBF38395C4BB213682044B68)
        • Quotation.exe (PID: 6488 cmdline: 'C:\Quotation.exe' MD5: C83BD9093E7AE550FC49FDC1A90B7F9E)
          • schtasks.exe (PID: 6512 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 6568 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA45A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Quotation.exe (PID: 6636 cmdline: C:\Quotation.exe 0 MD5: C83BD9093E7AE550FC49FDC1A90B7F9E)
  • dhcpmon.exe (PID: 6656 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: C83BD9093E7AE550FC49FDC1A90B7F9E)
  • dhcpmon.exe (PID: 6872 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: C83BD9093E7AE550FC49FDC1A90B7F9E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "894ac765-a5c8-42af-bb6a-ac66f210", "Group": "Default", "Domain1": "185.244.26.250", "Domain2": "oleg321.ddns.net", "Port": 3231, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    C:\Quotation.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 3 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 50 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.dhcpmon.exe.3fd311d.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0x24178:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      • 0x241a5:$x2: IClientNetworkHost
      11.2.dhcpmon.exe.3fd311d.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0x24178:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0x25253:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      • 0x24192:$s5: IClientLoggingHost
      11.2.dhcpmon.exe.3fd311d.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.dhcpmon.exe.424eaf4.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0x287a1:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        • 0x287ce:$x2: IClientNetworkHost
        12.2.dhcpmon.exe.424eaf4.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xf7ad:$x2: NanoCore.ClientPluginHost
        • 0x287a1:$x2: NanoCore.ClientPluginHost
        • 0x10888:$s4: PipeCreated
        • 0x2987c:$s4: PipeCreated
        • 0xf7c7:$s5: IClientLoggingHost
        • 0x287bb:$s5: IClientLoggingHost
        Click to see the 98 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Quotation.exe, ProcessId: 6488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Quotation.exe' , ParentImage: C:\Quotation.exe, ParentProcessId: 6488, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp', ProcessId: 6512

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
        Source: C:\Quotation.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
        Found malware configurationShow sources
        Source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "894ac765-a5c8-42af-bb6a-ac66f210", "Group": "Default", "Domain1": "185.244.26.250", "Domain2": "oleg321.ddns.net", "Port": 3231, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 86%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
        Source: C:\Quotation.exeMetadefender: Detection: 86%Perma Link
        Source: C:\Quotation.exeReversingLabs: Detection: 100%
        Source: C:\Quotation.sfx.exeMetadefender: Detection: 27%Perma Link
        Source: C:\Quotation.sfx.exeReversingLabs: Detection: 75%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CU3e1CWzlr.exeVirustotal: Detection: 56%Perma Link
        Source: CU3e1CWzlr.exeMetadefender: Detection: 32%Perma Link
        Source: CU3e1CWzlr.exeReversingLabs: Detection: 72%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORY
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
        Source: Yara matchFile source: C:\Quotation.exe, type: DROPPED
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Quotation.sfx.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: C:\Quotation.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CU3e1CWzlr.exeJoe Sandbox ML: detected
        Source: 10.2.Quotation.exe.390000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.Quotation.exe.5440000.8.unpackAvira: Label: TR/NanoCore.fadte
        Source: 11.2.dhcpmon.exe.860000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.0.Quotation.exe.390000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.Quotation.exe.160000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.dhcpmon.exe.860000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.dhcpmon.exe.aa0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.Quotation.exe.160000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.aa0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: CU3e1CWzlr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Quotation.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: CU3e1CWzlr.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: CU3e1CWzlr.exe
        Source: Binary string: rlib.pdbLE=C:\( source: Quotation.exe, 00000005.00000002.466255893.0000000000930000.00000004.00000040.sdmp
        Source: Binary string: ib.pdb>r source: Quotation.exe, 00000005.00000002.466500509.000000000099C000.00000004.00000020.sdmp
        Source: Binary string: mscorrc.pdb source: Quotation.exe, 00000005.00000002.471858853.0000000005150000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CCA2C3
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CE7D69 FindFirstFileExA,0_2_00CE7D69
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CDA536
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,4_2_0034A2C3
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,4_2_0035A536
        Source: C:\Quotation.sfx.exeCode function: 4_2_00367D69 FindFirstFileExA,4_2_00367D69

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 185.244.26.250
        Source: Malware configuration extractorURLs: oleg321.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: oleg321.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49717 -> 185.244.26.250:3231
        Source: Joe Sandbox ViewASN Name: VAMU-ASIP-TRANSITVAMURU VAMU-ASIP-TRANSITVAMURU
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownDNS traffic detected: queries for: oleg321.ddns.net