Analysis Report TRACKING UPDATE.exe

Overview

General Information

Sample Name:	TRACKING UPDATE.exe
Analysis ID:	384119
MD5:	26d7fd5cf5d0d6b7c1390aa0b6a7e32a
SHA1:	fd75384ba2fd1babc922700f8a5dbf8996038d47
SHA256:	ec66cd2ec3ec5ee4b67579d7091f101b3f7cedf937b9e092d7b6803894a92df4
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000001A.00000002.422831822.0000000003CC9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "8545b101-932f-4225-af0e-44d64dd1", "Group": "cashout", "Domain1": "kennethw201.ddns.net", "Domain2": "185.140.53.10", "Port": 37151, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe	ReversingLabs: Detection: 25%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.269666651.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.422831822.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.391813496.000000000409C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419452781.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.403485452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6040, type: MEMORY
Source: Yara match	File source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3d0ff6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3d0b136.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41a3400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3d14595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRACKING UPDATE.exe.4293400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3d0ff6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41a3400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRACKING UPDATE.exe.4293400.1.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 26.2.dhcpmon.exe.400000.0.unpack

Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: TRACKING UPDATE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: TRACKING UPDATE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000003.478327529.0000000008FB6000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49712 -> 185.140.53.10:37151
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49716 -> 185.140.53.10:37151
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49717 -> 185.140.53.10:37151
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 185.140.53.10:37151
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 185.140.53.10:37151
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 185.140.53.10:37151
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 185.140.53.10:37151
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 185.140.53.10:37151
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49732 -> 185.140.53.10:37151

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: kennethw201.ddns.net
Source: Malware configuration extractor	URLs: 185.140.53.10

Uses dynamic DNS services

Source: unknown

DNS query: name: kennethw201.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49712 -> 185.140.53.10:37151

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: kennethw201.ddns.net

Source: powershell.exe, 00000008.00000003.485241267.00000000078B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.N
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000004.00000003.458612605.000000000767F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377583018.00000000030DD000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000003.458612605.000000000767F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: TRACKING UPDATE.exe, 00000000.00000002.279626106.0000000006180000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.429053954.0000000006190000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000004.00000003.458612605.000000000767F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: TRACKING UPDATE.exe, 00000000.00000002.264952887.0000000001469000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: dhcpmon.exe, 0000001A.00000002.422831822.0000000003CC9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.269666651.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.422831822.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.391813496.000000000409C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419452781.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.403485452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6040, type: MEMORY
Source: Yara match	File source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3d0ff6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3d0b136.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41a3400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3d14595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRACKING UPDATE.exe.4293400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3d0ff6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41a3400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TRACKING UPDATE.exe.4293400.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.269666651.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.269666651.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.422831822.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.391813496.000000000409C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.391813496.000000000409C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.419452781.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.403485452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.403485452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6040, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6040, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.3d0ff6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.dhcpmon.exe.3d0b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.dhcpmon.exe.3d0b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.2d29658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.41a3400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.41a3400.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.3d14595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TRACKING UPDATE.exe.4293400.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TRACKING UPDATE.exe.4293400.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.3d0ff6c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.41a3400.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.41a3400.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.TRACKING UPDATE.exe.4293400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TRACKING UPDATE.exe.4293400.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Detected potential crypto function

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_00CA3684	0_2_00CA3684
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_079215A8	0_2_079215A8
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_079237E8	0_2_079237E8
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_02FEE3D8	0_2_02FEE3D8
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_02FEE3C9	0_2_02FEE3C9
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_02FEC0C4	0_2_02FEC0C4
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_057345D0	0_2_057345D0
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_05733580	0_2_05733580
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_05733168	0_2_05733168
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_057348F8	0_2_057348F8
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_05733595	0_2_05733595
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_05734671	0_2_05734671
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_00C03684	19_2_00C03684
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_075837E8	19_2_075837E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_075815A8	19_2_075815A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_07582898	19_2_07582898
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_07582300	19_2_07582300
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_07580A20	19_2_07580A20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_0169C0C4	19_2_0169C0C4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_0169E3C9	19_2_0169E3C9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_0169E3D8	19_2_0169E3D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_059CE550	19_2_059CE550
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_059CE958	19_2_059CE958
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_059CE542	19_2_059CE542
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_059C83F0	19_2_059C83F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_059CBB10	19_2_059CBB10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_059C5A38	19_2_059C5A38
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_059C5A27	19_2_059C5A27
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_00873684	26_2_00873684
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_02CAE480	26_2_02CAE480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_02CAE471	26_2_02CAE471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_02CABBD4	26_2_02CABBD4

PE file contains strange resources

Source: TRACKING UPDATE.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: naILYUoYDoiOaN.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: TRACKING UPDATE.exe	Binary or memory string: OriginalFilename vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000000.00000002.286932381.00000000078A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000000.00000002.259119729.0000000000D2A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDateMapping.exe0 vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000000.00000002.286728168.0000000007710000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000000.00000002.264952887.0000000001469000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000000.00000002.291852254.000000000DD30000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000000.00000002.291852254.000000000DD30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000000.00000002.290933138.000000000DC40000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000009.00000003.281737315.0000000006F91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe, 00000009.00000000.253651672.0000000000B0A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDateMapping.exe0 vs TRACKING UPDATE.exe
Source: TRACKING UPDATE.exe	Binary or memory string: OriginalFilenameDateMapping.exe0 vs TRACKING UPDATE.exe

Uses 32bit PE files

Source: TRACKING UPDATE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 00000000.00000002.269666651.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.269666651.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.422831822.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.391813496.000000000409C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.391813496.000000000409C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.419452781.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.403485452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.403485452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6040, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6040, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.3d0ff6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.3d0ff6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.dhcpmon.exe.3d0b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.3d0b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.dhcpmon.exe.3d0b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.2d29658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.2d29658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.41a3400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.41a3400.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.3d14595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.3d14595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TRACKING UPDATE.exe.4293400.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TRACKING UPDATE.exe.4293400.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TRACKING UPDATE.exe.4293400.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.3d0ff6c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.3d0ff6c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.41a3400.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.41a3400.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.41a3400.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.TRACKING UPDATE.exe.4293400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TRACKING UPDATE.exe.4293400.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: TRACKING UPDATE.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: naILYUoYDoiOaN.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 26.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 26.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 26.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/24@9/2

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe

File created: C:\Program Files (x86)\DHCP Monitor

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe

File created: C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\RhEjIOKqZV
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{8545b101-932f-4225-af0e-44d64dd12c2a}

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: unknown	Process created: C:\Users\user\Desktop\TRACKING UPDATE.exe 'C:\Users\user\Desktop\TRACKING UPDATE.exe'
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TRACKING UPDATE.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe'
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\naILYUoYDoiOaN' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E9C.tmp'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe'
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Users\user\Desktop\TRACKING UPDATE.exe C:\Users\user\Desktop\TRACKING UPDATE.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\naILYUoYDoiOaN' /XML 'C:\Users\user\AppData\Local\Temp\tmp4D1A.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TRACKING UPDATE.exe'	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe'	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\naILYUoYDoiOaN' /XML 'C:\Users\user\AppData\Local\Temp\tmp8E9C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe'	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process created: C:\Users\user\Desktop\TRACKING UPDATE.exe C:\Users\user\Desktop\TRACKING UPDATE.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\naILYUoYDoiOaN' /XML 'C:\Users\user\AppData\Local\Temp\tmp4D1A.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: 26.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_00D1D6C8 push ebx; ret	0_2_00D1D717
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_00D1CCE0 push cs; ret	0_2_00D1CCE1
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_00D1D963 push ebx; retf	0_2_00D1D964
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_00D1D719 push ebx; ret	0_2_00D1D717
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Code function: 0_2_078D3D05 push ebx; iretd	0_2_078D3D18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_00C7D6C8 push ebx; ret	19_2_00C7D717
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_00C7D963 push ebx; retf	19_2_00C7D964
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_00C7CCE0 push cs; ret	19_2_00C7CCE1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_00C7D719 push ebx; ret	19_2_00C7D717
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_07533D05 push ebx; iretd	19_2_07533D18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_008ED719 push ebx; ret	26_2_008ED717
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_008ED6C8 push ebx; ret	26_2_008ED717
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_008ED963 push ebx; retf	26_2_008ED964
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_008ECCE0 push cs; ret	26_2_008ECCE1

Source: initial sample	Static PE information: section name: .text entropy: 7.9386015162
Source: initial sample	Static PE information: section name: .text entropy: 7.9386015162
Source: initial sample	Static PE information: section name: .text entropy: 7.9386015162

Source: 26.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 26.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	File created: C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe			Jump to dropped file

Source: Yara match	File source: 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 7104, type: MEMORY
Source: Yara match	File source: Process Memory Space: TRACKING UPDATE.exe PID: 6044, type: MEMORY

Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TRACKING UPDATE.exe, 00000000.00000002.266281327.0000000003181000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4512	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3249	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2767	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1908	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3080	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2412	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Window / User API: threadDelayed 5539
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Window / User API: threadDelayed 3393

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe TID: 6008	Thread sleep time: -100543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe TID: 6040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3136	Thread sleep count: 4512 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3752	Thread sleep count: 3249 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep count: 3080 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep count: 57 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep count: 2412 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5244	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5244	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe TID: 6532	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7108	Thread sleep time: -103799s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7132	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1388	Thread sleep count: 110 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4956	Thread sleep count: 55 > 30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6616	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Thread delayed: delay time: 100543	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 103799
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: TRACKING UPDATE.exe, 00000000.00000002.265035748.000000000149E000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0l[h
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000013.00000002.377674735.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: TRACKING UPDATE.exe, 00000009.00000003.274739079.000000000132D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	Memory written: C:\Users\user\Desktop\TRACKING UPDATE.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\TRACKING UPDATE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Analysis Report TRACKING UPDATE.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: TRACKING UPDATE.exe, 00000009.00000003.281737315.0000000006F91000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001A.00000002.422831822.0000000003CC9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001A.00000002.422831822.0000000003CC9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Name	Malicious	Antivirus Detection	Reputation
kennethw201.ddns.net	true	Avira URL Cloud: safe	unknown
185.140.53.10	true	Avira URL Cloud: safe	unknown

ID:	384119
Product:	CloudBasic
Start time:	16:26:25
Start date:	08.04.2021
Sample:	TRACKING UPDATE.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	26d7fd5cf5d0d6b7c1390aa0b6a7e32a
SHA1:	fd75384ba2fd1babc922700f8a5dbf8996038d47
SHA256:	ec66cd2ec3ec5ee4b67579d7091f101b3f7cedf937b9e092d7b6803894a92df4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	26D7FD5CF5D0D6B7C1390AA0B6A7E32A	FD75384BA2FD1BABC922700F8A5DBF8996038D47	EC66CD2EC3EC5EE4B67579D7091F101B3F7CEDF937B9E092D7B6803894A92DF4
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRACKING UPDATE.exe.log	ASCII text, with CRLF line terminators	69206D3AF7D6EFD08F4B4726998856D3	E778D4BF781F7712163CF5E2F5E7C15953E484CF	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	69206D3AF7D6EFD08F4B4726998856D3	E778D4BF781F7712163CF5E2F5E7C15953E484CF	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	A1298F6DA5FBA5729DC8D6DD2B5F193B	694752E724A0619131D0FA1B9DAB9086212CB7C8	579459E02C6A6AD3FDB3E2D729196747DD4409CEC19E39BBFFF44FA18135B5E6
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1o41ejz0.rn4.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ca0f3twl.klm.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jili4gyj.nxd.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l11hkwmx.rh1.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lc2pkavk.umd.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhhp0byt.aji.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp4D1A.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	7EB9A83516B40F22C6B5F08990401752	8FE6BCB920FCAC8BAC173CBE489A4BEDD8A7021F	9263457846306DA62FD5BB8059F4DD77C8F62D454070BCE392CF35A67CFB3723
C:\Users\user\AppData\Local\Temp\tmp8E9C.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	7EB9A83516B40F22C6B5F08990401752	8FE6BCB920FCAC8BAC173CBE489A4BEDD8A7021F	9263457846306DA62FD5BB8059F4DD77C8F62D454070BCE392CF35A67CFB3723
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	838CD9DBC78EA45A5406EAE23962086D	C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C	6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	ISO-8859 text, with no line terminators	CFB9D91774466C8AA69BA266773BDF76	6AC1EF1B6FB7EB3878606E8BBAB9A74BEE1AFF1E	1C66D092C5D6EE04313F3514D6CE3C9C6B213930B86FDBC76368B1E3211E7B8B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	7E8F4A764B981D5B82D1CC49D341E9C6	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	26D7FD5CF5D0D6B7C1390AA0B6A7E32A	FD75384BA2FD1BABC922700F8A5DBF8996038D47	EC66CD2EC3EC5EE4B67579D7091F101B3F7CEDF937B9E092D7B6803894A92DF4
C:\Users\user\AppData\Roaming\naILYUoYDoiOaN.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210408\PowerShell_transcript.179605.LfGkfzga.20210408162728.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	C0CF72D46829DABF024933EE20D2452D	7EA7596BCD0CBDEA3E835FE2644068FE8496FAC0	DB3E592EF91560328A8F0ACCEDA80F467EFBD993F79B82BBBFFF02BE9E7DBD7A
C:\Users\user\Documents\20210408\PowerShell_transcript.179605.R5baWuSv.20210408162728.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	10FB8743959375D68A6B700AFF6528B0	66038789FAEF0DDBC83BF1D5BDBCA875F34BCC7F	2DCB5B0B3E7FE410647FE0BF42AA7FC37CEA868A40C39AD9673641A5D90E401C
C:\Users\user\Documents\20210408\PowerShell_transcript.179605.Xg_hm3+y.20210408162733.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	981C38F0589D495BC748EC14B16E7B7D	9659D512874A752854D52FD9BA586F3F3D41D55B	C1CA28EFC4599B5633F75514698E1BEADE27756E7218E32637CF2ED2FC500C90