Loading ...

Play interactive tourEdit tour

Analysis Report AIC7VMxudf.exe

Overview

General Information

Sample Name:AIC7VMxudf.exe
Analysis ID:383611
MD5:d14d623ad514f6ef05fb94541868b29c
SHA1:d5a787167ab02d7fd194fccb1f6335c8927702ad
SHA256:ff6ac9d2d223f204f998eb31cf4dc2045bee3ba86f481d8cea7a8b24a2ebf889
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • AIC7VMxudf.exe (PID: 4872 cmdline: 'C:\Users\user\Desktop\AIC7VMxudf.exe' MD5: D14D623AD514F6EF05FB94541868B29C)
    • schtasks.exe (PID: 2044 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqksXQmEOtil' /XML 'C:\Users\user\AppData\Local\Temp\tmp819D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6136 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6100 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x4a6cd:$x1: NanoCore.ClientPluginHost
    • 0x281d7d:$x1: NanoCore.ClientPluginHost
    • 0x4a70a:$x2: IClientNetworkHost
    • 0x281dba:$x2: IClientNetworkHost
    • 0x4e23d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x2858ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x4a435:$a: NanoCore
      • 0x4a445:$a: NanoCore
      • 0x4a679:$a: NanoCore
      • 0x4a68d:$a: NanoCore
      • 0x4a6cd:$a: NanoCore
      • 0x281ae5:$a: NanoCore
      • 0x281af5:$a: NanoCore
      • 0x281d29:$a: NanoCore
      • 0x281d3d:$a: NanoCore
      • 0x281d7d:$a: NanoCore
      • 0x4a494:$b: ClientPlugin
      • 0x4a696:$b: ClientPlugin
      • 0x4a6d6:$b: ClientPlugin
      • 0x281b44:$b: ClientPlugin
      • 0x281d46:$b: ClientPlugin
      • 0x281d86:$b: ClientPlugin
      • 0x4a5bb:$c: ProjectData
      • 0x281c6b:$c: ProjectData
      • 0x38c022:$c: ProjectData
      • 0x426a42:$c: ProjectData
      • 0x4afc2:$d: DESCrypto
      Process Memory Space: AIC7VMxudf.exe PID: 4872Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x119f48:$x1: NanoCore.ClientPluginHost
      • 0x19898e:$x1: NanoCore.ClientPluginHost
      • 0x119fa9:$x2: IClientNetworkHost
      • 0x1989ef:$x2: IClientNetworkHost
      • 0x11f3ae:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x12d320:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x19ddf4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x1abd66:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 3 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.AIC7VMxudf.exe.3efabf0.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.AIC7VMxudf.exe.3efabf0.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.AIC7VMxudf.exe.3efabf0.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.AIC7VMxudf.exe.3efabf0.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.AIC7VMxudf.exe.2c868c4.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 3 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqksXQmEOtil' /XML 'C:\Users\user\AppData\Local\Temp\tmp819D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqksXQmEOtil' /XML 'C:\Users\user\AppData\Local\Temp\tmp819D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\AIC7VMxudf.exe' , ParentImage: C:\Users\user\Desktop\AIC7VMxudf.exe, ParentProcessId: 4872, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqksXQmEOtil' /XML 'C:\Users\user\AppData\Local\Temp\tmp819D.tmp', ProcessId: 2044

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: nassiru1144.ddns.netVirustotal: Detection: 8%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\TqksXQmEOtil.exeVirustotal: Detection: 51%Perma Link
          Source: C:\Users\user\AppData\Roaming\TqksXQmEOtil.exeMetadefender: Detection: 27%Perma Link
          Source: C:\Users\user\AppData\Roaming\TqksXQmEOtil.exeReversingLabs: Detection: 68%
          Multi AV Scanner detection for submitted fileShow sources
          Source: AIC7VMxudf.exeVirustotal: Detection: 51%Perma Link
          Source: AIC7VMxudf.exeMetadefender: Detection: 27%Perma Link
          Source: AIC7VMxudf.exeReversingLabs: Detection: 68%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AIC7VMxudf.exe PID: 4872, type: MEMORY
          Source: Yara matchFile source: 0.2.AIC7VMxudf.exe.3efabf0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AIC7VMxudf.exe.3efabf0.4.raw.unpack, type: UNPACKEDPE
          Source: AIC7VMxudf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: AIC7VMxudf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeCode function: 4x nop then add dword ptr [ebp-0Ch], 01h0_2_02A56E10

          Networking:

          barindex
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: nassiru1144.ddns.net
          Source: global trafficTCP traffic: 192.168.2.3:49712 -> 194.5.98.250:1012
          Source: global trafficTCP traffic: 192.168.2.3:49721 -> 79.134.225.30:1012
          Source: Joe Sandbox ViewIP Address: 194.5.98.250 194.5.98.250
          Source: Joe Sandbox ViewIP Address: 79.134.225.30 79.134.225.30
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.250
          Source: unknownDNS traffic detected: queries for: nassiru1144.ddns.net
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AIC7VMxudf.exe PID: 4872, type: MEMORY
          Source: Yara matchFile source: 0.2.AIC7VMxudf.exe.3efabf0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AIC7VMxudf.exe.3efabf0.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: AIC7VMxudf.exe PID: 4872, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: AIC7VMxudf.exe PID: 4872, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeCode function: 0_2_02A5A7B00_2_02A5A7B0
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeCode function: 0_2_02A588E10_2_02A588E1
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeCode function: 0_2_02A570C00_2_02A570C0
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeCode function: 0_2_02A5B4F00_2_02A5B4F0
          Source: AIC7VMxudf.exeBinary or memory string: OriginalFilename vs AIC7VMxudf.exe
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDurmu_ vs AIC7VMxudf.exe
          Source: AIC7VMxudf.exe, 00000000.00000000.194606267.0000000000692000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIMoniker.exeB vs AIC7VMxudf.exe
          Source: AIC7VMxudf.exe, 00000000.00000002.208258506.00000000063F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs AIC7VMxudf.exe
          Source: AIC7VMxudf.exe, 00000000.00000002.208258506.00000000063F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs AIC7VMxudf.exe
          Source: AIC7VMxudf.exe, 00000000.00000002.208143709.0000000006300000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs AIC7VMxudf.exe
          Source: AIC7VMxudf.exe, 00000000.00000002.207993430.0000000005CA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDebuggerHiddenAttribute.dllX vs AIC7VMxudf.exe
          Source: AIC7VMxudf.exeBinary or memory string: OriginalFilenameIMoniker.exeB vs AIC7VMxudf.exe
          Source: AIC7VMxudf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.204528446.0000000003C89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: AIC7VMxudf.exe PID: 4872, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: AIC7VMxudf.exe PID: 4872, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.AIC7VMxudf.exe.3efabf0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/7@16/3
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeFile created: C:\Users\user\AppData\Roaming\TqksXQmEOtil.exeJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeMutant created: \Sessions\1\BaseNamedObjects\KbxxSk
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c58032b4-d173-4ca1-842f-62ce41b0e6f4}
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp819D.tmpJump to behavior
          Source: AIC7VMxudf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: AIC7VMxudf.exeBinary or memory string: Select * from Customers;
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: INSERT INTO PublisherMembershipCondition VALUES(@modelo, @fabricante, @ano, @cor);
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: Select * from PublisherMembershipCondition WHERE modelo=@modelo;zDeu erro na execu
          Source: AIC7VMxudf.exeVirustotal: Detection: 51%
          Source: AIC7VMxudf.exeMetadefender: Detection: 27%
          Source: AIC7VMxudf.exeReversingLabs: Detection: 68%
          Source: AIC7VMxudf.exeString found in binary or memory: Freight:/frmActionOrderReception-Add Stock to Inventory{Update OrderReceptions Set Status = 'APPROVED', ChangedBy = '
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeFile read: C:\Users\user\Desktop\AIC7VMxudf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\AIC7VMxudf.exe 'C:\Users\user\Desktop\AIC7VMxudf.exe'
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqksXQmEOtil' /XML 'C:\Users\user\AppData\Local\Temp\tmp819D.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqksXQmEOtil' /XML 'C:\Users\user\AppData\Local\Temp\tmp819D.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: AIC7VMxudf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: AIC7VMxudf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: AIC7VMxudf.exeStatic file information: File size 1182208 > 1048576
          Source: AIC7VMxudf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11bc00
          Source: AIC7VMxudf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Data Obfuscation:

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: AIC7VMxudf.exe, FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "SKS" } } }, null, null, null, true)
          Source: TqksXQmEOtil.exe.0.dr, FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "SKS" } } }, null, null, null, true)
          Source: 0.2.AIC7VMxudf.exe.690000.0.unpack, FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "SKS" } } }, null, null, null, true)
          Source: 0.0.AIC7VMxudf.exe.690000.0.unpack, FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "SKS" } } }, null, null, null, true)
          .NET source code contains potential unpackerShow sources
          Source: AIC7VMxudf.exe, FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: TqksXQmEOtil.exe.0.dr, FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.AIC7VMxudf.exe.690000.0.unpack, FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.AIC7VMxudf.exe.690000.0.unpack, FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeCode function: 0_2_006951AC push es; retf 0000h0_2_00695377
          Source: initial sampleStatic PE information: section name: .text entropy: 7.31668862644
          Source: initial sampleStatic PE information: section name: .text entropy: 7.31668862644
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeFile created: C:\Users\user\AppData\Roaming\TqksXQmEOtil.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqksXQmEOtil' /XML 'C:\Users\user\AppData\Local\Temp\tmp819D.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AIC7VMxudf.exe PID: 4872, type: MEMORY
          Source: Yara matchFile source: 0.2.AIC7VMxudf.exe.2c868c4.1.raw.unpack, type: UNPACKEDPE
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6738Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2762Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 782Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 652Jump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exe TID: 3412Thread sleep time: -100494s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exe TID: 4972Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeThread delayed: delay time: 100494Jump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: AIC7VMxudf.exe, 00000000.00000002.203974120.0000000002C81000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqksXQmEOtil' /XML 'C:\Users\user\AppData\Local\Temp\tmp819D.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Users\user\Desktop\AIC7VMxudf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior