Loading ...

Play interactive tourEdit tour

Analysis Report TT COPY pdf.exe

Overview

General Information

Sample Name:TT COPY pdf.exe
Analysis ID:402887
MD5:5c59c6fb72b449bd3e52b628c7c46002
SHA1:85974547f519babcdd3f8d5a68ba18930f09d46d
SHA256:0b39f5e8244f6d24dbf99914e31907f8e560c6612544a692ec97480c5c9fe371
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Errors
  • Sigma runtime error: Invalid condition: true && ! filter Rule: System File Execution Location Anomaly
  • Sigma runtime error: Invalid condition: ( false && ! false ) or Rule: Executable Used by PlugX in Uncommon Location
  • Sigma syntax error: Rules are missing titles
  • Sigma runtime error: Invalid condition: false && true or Rule: Suspicious WMI Execution
  • Sigma runtime error: Invalid condition: not false && false Rule: Using SettingSyncHost.exe as LOLBin
  • Sigma runtime error: Invalid condition: not true && false Rule: Using SettingSyncHost.exe as LOLBin
  • Sigma runtime error: Invalid condition: false || (selection_wevtutil_binary && selection_wevtutil_command) Rule: Suspicious Eventlog Clear or Configuration Using Wevtutil
  • Sigma runtime error: Invalid condition: false && false or Rule: Suspicious WMI Execution

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Sigma detected: NanoCore
Sigma detected: NotPetya Ransomware Activity
Sigma detected: QBot Process Creation
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Exchange Exploitation Activity
Sigma detected: Mustang Panda Dropper
Sigma detected: Raccine Uninstall
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-day
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SMSW)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Suspicious Copy From or To System32
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TT COPY pdf.exe (PID: 5640 cmdline: 'C:\Users\user\Desktop\TT COPY pdf.exe' MD5: 5C59C6FB72B449BD3E52B628C7C46002)
    • schtasks.exe (PID: 6160 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TT COPY pdf.exe (PID: 6240 cmdline: C:\Users\user\Desktop\TT COPY pdf.exe MD5: 5C59C6FB72B449BD3E52B628C7C46002)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1f86a5:$x1: NanoCore.ClientPluginHost
    • 0x22aec5:$x1: NanoCore.ClientPluginHost
    • 0x1f86e2:$x2: IClientNetworkHost
    • 0x22af02:$x2: IClientNetworkHost
    • 0x1fc215:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x22ea35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 14 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.TT COPY pdf.exe.3a79c68.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x157a3d:$x1: NanoCore.ClientPluginHost
      • 0x18a25d:$x1: NanoCore.ClientPluginHost
      • 0x157a7a:$x2: IClientNetworkHost
      • 0x18a29a:$x2: IClientNetworkHost
      • 0x15b5ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x18ddcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.TT COPY pdf.exe.3a79c68.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.TT COPY pdf.exe.3a79c68.2.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x1577a5:$a: NanoCore
        • 0x1577b5:$a: NanoCore
        • 0x1579e9:$a: NanoCore
        • 0x1579fd:$a: NanoCore
        • 0x157a3d:$a: NanoCore
        • 0x189fc5:$a: NanoCore
        • 0x189fd5:$a: NanoCore
        • 0x18a209:$a: NanoCore
        • 0x18a21d:$a: NanoCore
        • 0x18a25d:$a: NanoCore
        • 0x157804:$b: ClientPlugin
        • 0x157a06:$b: ClientPlugin
        • 0x157a46:$b: ClientPlugin
        • 0x18a024:$b: ClientPlugin
        • 0x18a226:$b: ClientPlugin
        • 0x18a266:$b: ClientPlugin
        • 0xad9a1:$c: ProjectData
        • 0x15792b:$c: ProjectData
        • 0x18a14b:$c: ProjectData
        • 0x158332:$d: DESCrypto
        • 0x18ab52:$d: DESCrypto
        7.2.TT COPY pdf.exe.3eeff1c.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        7.2.TT COPY pdf.exe.3eeff1c.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        Click to see the 36 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: BlueMashroom DLL LoadShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TT COPY pdf.exe, ProcessId: 6240, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: NotPetya Ransomware ActivityShow sources
        Source: Process startedAuthor: Florian Roth, Tom Ueltschi: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: QBot Process CreationShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Exchange Exploitation ActivityShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Mustang Panda DropperShow sources
        Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Raccine UninstallShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Suspicious Scheduled Task Creation Involving Temp FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-dayShow sources
        Source: Process startedAuthor: Olaf Hartong: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: PowerShell Script Run in AppDataShow sources
        Source: Process startedAuthor: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Suspicious Copy From or To System32Show sources
        Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Change Default File AssociationShow sources
        Source: Process startedAuthor: Timur Zinniatullin, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Data Compressed - PowershellShow sources
        Source: Event LogsAuthor: Timur Zinniatullin, oscd.community: Data: EventID: 4104, Source: Microsoft-Windows-PowerShell, data 0: 1, data 1: 1, data 2: # Copyright 2008, Microsoft Corporation. All rights reserved. #Common utility functions Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData # Function to get user troubleshooting history function Get-UserTSHistoryPath { return "${env:localappdata}\diagnostics" } # Function to get admin troubleshooting history function Get-AdminTSHistoryPath { return "${env:localappdata}\elevateddiagnostics" } # Function to get user report folder path function Get-UserReportPath { return "${env:localappdata}\Microsoft\Windows\WER\ReportQueue" } # Function to get system report folder path function Get-MachineReportPath { return "${env:AllUsersProfile}\Microsoft\Windows\WER\ReportQueue" } # Function to get threshold to check whether a folder is old function Get-ThresholdForCheckOlderFile { [int]$threshold = -1 return $threshold } # Function to get threshold for deleting WER folder function Get-ThresholdForFileDeleting() { [string]$registryEntryPath = "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" [string]$registryEntryName = "PurgeThreshholdValueInKB" [double]$defaultValue = 10.0 return Get-RegistryValue $registryEntryPath $registryEntryName $defaultValue } # Function to get the size of a directory in kb function Get-FolderSize([string]$folder = $(throw "No folder is specified")) { if([String]::IsNullOrEmpty($folder) -or (-not(Test-Path $folder))) { return 0 } if(-not $Global:DirectoryObject) { $Global:DirectoryObject = New-Object -comobject "Scripting.FileSystemObject" } return ($Global:DirectoryObject.GetFolder($folder).Size) / 1kb } # Function to delete a folder function Delete-Folder([string]$folder = $(throw "No folder is specified")) { if([String]::IsNullOrEmpty($folder) -or (-not(Test-Path $folder))) { return } Remove-Item -literalPath $folder -Recurse -Force } # Function to delete old folders function Delete-OldFolders($folder=$(throw "No folder is specified")) { if(($folder -eq $null) -or (-not(Test-Path $folder))) { return } [int]$threshold = Get-ThresholdForCheckOlderFile $folders = Get-ChildItem -LiteralPath ($folder.FullName) -Force | Where-Object {$_.PSIsContainer} if($folders -ne $null) { foreach($folder in $folders) { if((($folder.CreationTime).CompareTo((Get-Date).AddMonths($threshold))) -lt 0) { Delete-Folder ($folder.FullName) } else { Delete-OldFolders (Get-Item ($folder.FullName)) } } } } # Function to get registry value function Get-RegistryValue([string]$registryEntryPath = $(throw "No registry entry path is specified"), [string]$registryEntryName = $(throw "No registry entry name is specified"), [double]$defaultValue = 0.0) { [double]$registryEntryValue = $defaultValue $registryEntry = Get-ItemProperty -Path $registryEntryPath -Name $registryEntryName if($registryEntry -ne $null) { $registryEntryValue = $registryEntry.$registryEntryName } return $registryEntryValue } # Function to get the

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\kAozQG.exeReversingLabs: Detection: 19%
        Multi AV Scanner detection for submitted fileShow sources
        Source: TT COPY pdf.exeReversingLabs: Detection: 19%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\kAozQG.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: TT COPY pdf.exeJoe Sandbox ML: detected
        Source: 7.2.TT COPY pdf.exe.58e0000.10.unpackAvira: Label: TR/NanoCore.fadte
        Source: 7.2.TT COPY pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: TT COPY pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: TT COPY pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdblt source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
        Source: Binary string: System.pdb source: TT COPY pdf.exe, 00000007.00000002.523246225.0000000006400000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02738EA0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02739E20
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02739E17
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02738E9B
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02738FCC

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 23.105.131.171:4040
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 23.105.131.171:4040
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 23.105.131.171:4040
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 23.105.131.171:4040
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49752 -> 23.105.131.171:4040
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 23.105.131.171
        Source: global trafficTCP traffic: 192.168.2.5:49719 -> 23.105.131.171:4040
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
        Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02734EB00_2_02734EB0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027347D00_2_027347D0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027354780_2_02735478
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02731A070_2_02731A07
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027362980_2_02736298
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027362890_2_02736289
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02731BA70_2_02731BA7
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027398D80_2_027398D8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027319430_2_02731943
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027319480_2_02731948
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02735EF00_2_02735EF0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02735EE30_2_02735EE3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02734EA30_2_02734EA3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02734EAB0_2_02734EAB
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027347C30_2_027347C3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027364760_2_02736476
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0273546B0_2_0273546B
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0298E6C00_2_0298E6C0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0298C3B40_2_0298C3B4
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0298E6B00_2_0298E6B0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B765E80_2_05B765E8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B785780_2_05B78578
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B777280_2_05B77728
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B736900_2_05B73690
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7F3B80_2_05B7F3B8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B743E00_2_05B743E0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B76DA00_2_05B76DA0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7B9480_2_05B7B948
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7F8500_2_05B7F850
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B765E30_2_05B765E3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B765260_2_05B76526
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B785730_2_05B78573
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B794B30_2_05B794B3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B794B80_2_05B794B8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B777190_2_05B77719
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7A7180_2_05B7A718
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7A7090_2_05B7A709
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7A3700_2_05B7A370
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7A36B0_2_05B7A36B
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B76D900_2_05B76D90
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7ADC30_2_05B7ADC3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7ADC80_2_05B7ADC8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 7_2_02E5E4807_2_02E5E480
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 7_2_02E5E4717_2_02E5E471
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 7_2_02E5BBD47_2_02E5BBD4
        Source: TT COPY pdf.exeBinary or memory string: OriginalFilename vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.271275533.000000000BD50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.271449833.000000000BE50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.271449833.000000000BE50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.270925129.0000000005B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs TT COPY pdf.exe
        Source: TT COPY pdf.exeBinary or memory string: OriginalFilename vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs TT COPY pdf.exe
        Source: TT COPY pdf.exeBinary or memory string: OriginalFilenameEventTags.exe< vs TT COPY pdf.exe
        Source: TT COPY pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: TT COPY pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: kAozQG.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ