Analysis Report TT COPY pdf.exe

Overview

General Information

Sample Name: TT COPY pdf.exe
Analysis ID: 402887
MD5: 5c59c6fb72b449bd3e52b628c7c46002
SHA1: 85974547f519babcdd3f8d5a68ba18930f09d46d
SHA256: 0b39f5e8244f6d24dbf99914e31907f8e560c6612544a692ec97480c5c9fe371
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:
Errors
  • Sigma runtime error: Invalid condition: true && ! filter Rule: System File Execution Location Anomaly
  • Sigma runtime error: Invalid condition: ( false && ! false ) or Rule: Executable Used by PlugX in Uncommon Location
  • Sigma syntax error: Rules are missing titles
  • Sigma runtime error: Invalid condition: false && true or Rule: Suspicious WMI Execution
  • Sigma runtime error: Invalid condition: not false && false Rule: Using SettingSyncHost.exe as LOLBin
  • Sigma runtime error: Invalid condition: not true && false Rule: Using SettingSyncHost.exe as LOLBin
  • Sigma runtime error: Invalid condition: false || (selection_wevtutil_binary && selection_wevtutil_command) Rule: Suspicious Eventlog Clear or Configuration Using Wevtutil
  • Sigma runtime error: Invalid condition: false && false or Rule: Suspicious WMI Execution

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Sigma detected: NanoCore
Sigma detected: NotPetya Ransomware Activity
Sigma detected: QBot Process Creation
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Exchange Exploitation Activity
Sigma detected: Mustang Panda Dropper
Sigma detected: Raccine Uninstall
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-day
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SMSW)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Suspicious Copy From or To System32
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\kAozQG.exe ReversingLabs: Detection: 19%
Multi AV Scanner detection for submitted file
Source: TT COPY pdf.exe ReversingLabs: Detection: 19%
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
Source: Yara match File source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\kAozQG.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: TT COPY pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack Avira: Label: TR/NanoCore.fadte
Source: 7.2.TT COPY pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: TT COPY pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: TT COPY pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdblt source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
Source: Binary string: System.pdb source: TT COPY pdf.exe, 00000007.00000002.523246225.0000000006400000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02738EA0
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02739E20
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02739E17
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02738E9B
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02738FCC

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49752 -> 23.105.131.171:4040
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: 23.105.131.171
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49719 -> 23.105.131.171:4040
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
Source: Yara match File source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Detected potential crypto function
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02734EB0 0_2_02734EB0
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_027347D0 0_2_027347D0
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02735478 0_2_02735478
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02731A07 0_2_02731A07
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02736298 0_2_02736298
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02736289 0_2_02736289
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02731BA7 0_2_02731BA7
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_027398D8 0_2_027398D8
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02731943 0_2_02731943
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02731948 0_2_02731948
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02735EF0 0_2_02735EF0
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02735EE3 0_2_02735EE3
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02734EA3 0_2_02734EA3
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02734EAB 0_2_02734EAB
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_027347C3 0_2_027347C3
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02736476 0_2_02736476
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_0273546B 0_2_0273546B
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_0298E6C0 0_2_0298E6C0
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_0298C3B4 0_2_0298C3B4
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_0298E6B0 0_2_0298E6B0
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B765E8 0_2_05B765E8
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B78578 0_2_05B78578
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B77728 0_2_05B77728
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B73690 0_2_05B73690
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7F3B8 0_2_05B7F3B8
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B743E0 0_2_05B743E0
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B76DA0 0_2_05B76DA0
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7B948 0_2_05B7B948
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7F850 0_2_05B7F850
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B765E3 0_2_05B765E3
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B76526 0_2_05B76526
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B78573 0_2_05B78573
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B794B3 0_2_05B794B3
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B794B8 0_2_05B794B8
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B77719 0_2_05B77719
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7A718 0_2_05B7A718
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7A709 0_2_05B7A709
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7A370 0_2_05B7A370
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7A36B 0_2_05B7A36B
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B76D90 0_2_05B76D90
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7ADC3 0_2_05B7ADC3
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7ADC8 0_2_05B7ADC8
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 7_2_02E5E480 7_2_02E5E480
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 7_2_02E5E471 7_2_02E5E471
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 7_2_02E5BBD4 7_2_02E5BBD4
Sample file is different than original file name gathered from version info
Source: TT COPY pdf.exe Binary or memory string: OriginalFilename vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.271275533.000000000BD50000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.271449833.000000000BE50000.00000002.00000001.sdmp Binary or memory string: originalfilename vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.271449833.000000000BE50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.270925129.0000000005B80000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs TT COPY pdf.exe
Source: TT COPY pdf.exe Binary or memory string: OriginalFilename vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs TT COPY pdf.exe
Source: TT COPY pdf.exe Binary or memory string: OriginalFilenameEventTags.exe< vs TT COPY pdf.exe
Uses 32bit PE files
Source: TT COPY pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: TT COPY pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kAozQG.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/6@0/1
Source: C:\Users\user\Desktop\TT COPY pdf.exe File created: C:\Users\user\AppData\Roaming\kAozQG.exe Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\gqxHOc
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
Source: C:\Users\user\Desktop\TT COPY pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{97a824b7-e666-4a22-b2e3-fb501d91b8df}
Source: C:\Users\user\Desktop\TT COPY pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmp2D06.tmp Jump to behavior
Source: TT COPY pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TT COPY pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: TT COPY pdf.exe ReversingLabs: Detection: 19%
Source: C:\Users\user\Desktop\TT COPY pdf.exe File read: C:\Users\user\Desktop\TT COPY pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TT COPY pdf.exe 'C:\Users\user\Desktop\TT COPY pdf.exe'
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp' Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: TT COPY pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TT COPY pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdblt source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
Source: Binary string: System.pdb source: TT COPY pdf.exe, 00000007.00000002.523246225.0000000006400000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_02731FAC push eax; ret 0_2_02731FD1
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_027314CB pushad ; ret 0_2_027315F2
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_0273054A push ecx; ret 0_2_02730561
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7856B push cs; ret 0_2_05B78572
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B79763 push ss; ret 0_2_05B7976A
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B79761 push ss; ret 0_2_05B79762
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B771AB push es; ret 0_2_05B771B2
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B78278 push esi; retf 0_2_05B78279
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7826E push esi; retf 0_2_05B7826F
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B7BFED pushfd ; iretd 0_2_05B7BFEE
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B76FC1 push es; ret 0_2_05B76FC2
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_05B77F23 pushfd ; ret 0_2_05B77F25
Source: initial sample Static PE information: section name: .text entropy: 7.69430817012
Source: initial sample Static PE information: section name: .text entropy: 7.69430817012
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\TT COPY pdf.exe File created: C:\Users\user\AppData\Roaming\kAozQG.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\TT COPY pdf.exe File opened: C:\Users\user\Desktop\TT COPY pdf.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TT COPY pdf.exe PID: 5640, type: MEMORY
Source: Yara match File source: 0.2.TT COPY pdf.exe.29fedec.1.raw.unpack, type: UNPACKEDPE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\TT COPY pdf.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to detect virtual machines (SMSW)
Source: C:\Users\user\Desktop\TT COPY pdf.exe Code function: 0_2_0298B2D8 smsw word ptr [ecx+039D3E38h] 0_2_0298B2D8
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TT COPY pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\TT COPY pdf.exe Window / User API: threadDelayed 2509 Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Window / User API: threadDelayed 7004 Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Window / User API: foregroundWindowGot 958 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 4660 Thread sleep time: -103771s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 5524 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 6368 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\TT COPY pdf.exe Thread delayed: delay time: 103771 Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: TT COPY pdf.exe, 00000007.00000002.517304669.0000000000E6E000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\TT COPY pdf.exe Memory written: C:\Users\user\Desktop\TT COPY pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp' Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Process created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe Jump to behavior
Source: TT COPY pdf.exe, 00000007.00000002.519279220.000000000311D000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp Binary or memory string: Progman
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: TT COPY pdf.exe, 00000007.00000002.518432727.0000000002F7B000.00000004.00000001.sdmp Binary or memory string: Program Manager|$_
Source: TT COPY pdf.exe, 00000007.00000002.523210502.00000000062FE000.00000004.00000001.sdmp Binary or memory string: lProgram Manager
Source: TT COPY pdf.exe, 00000007.00000002.518618473.0000000002FBB000.00000004.00000001.sdmp Binary or memory string: Program ManagerHa

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Users\user\Desktop\TT COPY pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Users\user\Desktop\TT COPY pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
Source: Yara match File source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
Source: Yara match File source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402887 Sample: TT COPY pdf.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 21 other signatures 2->38 7 TT COPY pdf.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\Roaming\kAozQG.exe, PE32 7->20 dropped 22 C:\Users\user\...\kAozQG.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp2D06.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\TT COPY pdf.exe.log, ASCII 7->26 dropped 40 Injects a PE file into a foreign processes 7->40 11 TT COPY pdf.exe 7 7->11         started        16 schtasks.exe 1 7->16         started        signatures5 process6 dnsIp7 30 23.105.131.171, 4040, 49719, 49720 LEASEWEB-USA-NYC-11US United States 11->30 28 C:\Users\user\AppData\Roaming\...\run.dat, data 11->28 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->42 18 conhost.exe 16->18         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.105.131.171
 unknown United States
396362 LEASEWEB-USA-NYC-11US true

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
23.105.131.171 true
  • Avira URL Cloud: safe
 unknown