Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report TT COPY pdf.exe

Overview

General Information

Sample Name:TT COPY pdf.exe
Analysis ID:402887
MD5:5c59c6fb72b449bd3e52b628c7c46002
SHA1:85974547f519babcdd3f8d5a68ba18930f09d46d
SHA256:0b39f5e8244f6d24dbf99914e31907f8e560c6612544a692ec97480c5c9fe371
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Errors
  • Sigma runtime error: Invalid condition: true && ! filter Rule: System File Execution Location Anomaly
  • Sigma runtime error: Invalid condition: ( false && ! false ) or Rule: Executable Used by PlugX in Uncommon Location
  • Sigma syntax error: Rules are missing titles
  • Sigma runtime error: Invalid condition: false && true or Rule: Suspicious WMI Execution
  • Sigma runtime error: Invalid condition: not false && false Rule: Using SettingSyncHost.exe as LOLBin
  • Sigma runtime error: Invalid condition: not true && false Rule: Using SettingSyncHost.exe as LOLBin
  • Sigma runtime error: Invalid condition: false || (selection_wevtutil_binary && selection_wevtutil_command) Rule: Suspicious Eventlog Clear or Configuration Using Wevtutil
  • Sigma runtime error: Invalid condition: false && false or Rule: Suspicious WMI Execution

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Sigma detected: NanoCore
Sigma detected: NotPetya Ransomware Activity
Sigma detected: QBot Process Creation
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Exchange Exploitation Activity
Sigma detected: Mustang Panda Dropper
Sigma detected: Raccine Uninstall
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-day
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SMSW)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Suspicious Copy From or To System32
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TT COPY pdf.exe (PID: 5640 cmdline: 'C:\Users\user\Desktop\TT COPY pdf.exe' MD5: 5C59C6FB72B449BD3E52B628C7C46002)
    • schtasks.exe (PID: 6160 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TT COPY pdf.exe (PID: 6240 cmdline: C:\Users\user\Desktop\TT COPY pdf.exe MD5: 5C59C6FB72B449BD3E52B628C7C46002)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1f86a5:$x1: NanoCore.ClientPluginHost
    • 0x22aec5:$x1: NanoCore.ClientPluginHost
    • 0x1f86e2:$x2: IClientNetworkHost
    • 0x22af02:$x2: IClientNetworkHost
    • 0x1fc215:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x22ea35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 14 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.TT COPY pdf.exe.3a79c68.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x157a3d:$x1: NanoCore.ClientPluginHost
      • 0x18a25d:$x1: NanoCore.ClientPluginHost
      • 0x157a7a:$x2: IClientNetworkHost
      • 0x18a29a:$x2: IClientNetworkHost
      • 0x15b5ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x18ddcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.TT COPY pdf.exe.3a79c68.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.TT COPY pdf.exe.3a79c68.2.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x1577a5:$a: NanoCore
        • 0x1577b5:$a: NanoCore
        • 0x1579e9:$a: NanoCore
        • 0x1579fd:$a: NanoCore
        • 0x157a3d:$a: NanoCore
        • 0x189fc5:$a: NanoCore
        • 0x189fd5:$a: NanoCore
        • 0x18a209:$a: NanoCore
        • 0x18a21d:$a: NanoCore
        • 0x18a25d:$a: NanoCore
        • 0x157804:$b: ClientPlugin
        • 0x157a06:$b: ClientPlugin
        • 0x157a46:$b: ClientPlugin
        • 0x18a024:$b: ClientPlugin
        • 0x18a226:$b: ClientPlugin
        • 0x18a266:$b: ClientPlugin
        • 0xad9a1:$c: ProjectData
        • 0x15792b:$c: ProjectData
        • 0x18a14b:$c: ProjectData
        • 0x158332:$d: DESCrypto
        • 0x18ab52:$d: DESCrypto
        7.2.TT COPY pdf.exe.3eeff1c.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        7.2.TT COPY pdf.exe.3eeff1c.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        Click to see the 36 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: BlueMashroom DLL LoadShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TT COPY pdf.exe, ProcessId: 6240, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: NotPetya Ransomware ActivityShow sources
        Source: Process startedAuthor: Florian Roth, Tom Ueltschi: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: QBot Process CreationShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Exchange Exploitation ActivityShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Mustang Panda DropperShow sources
        Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Raccine UninstallShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Suspicious Scheduled Task Creation Involving Temp FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-dayShow sources
        Source: Process startedAuthor: Olaf Hartong: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: PowerShell Script Run in AppDataShow sources
        Source: Process startedAuthor: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Suspicious Copy From or To System32Show sources
        Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Change Default File AssociationShow sources
        Source: Process startedAuthor: Timur Zinniatullin, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160
        Sigma detected: Data Compressed - PowershellShow sources
        Source: Event LogsAuthor: Timur Zinniatullin, oscd.community: Data: EventID: 4104, Source: Microsoft-Windows-PowerShell, data 0: 1, data 1: 1, data 2: # Copyright 2008, Microsoft Corporation. All rights reserved. #Common utility functions Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData # Function to get user troubleshooting history function Get-UserTSHistoryPath { return "${env:localappdata}\diagnostics" } # Function to get admin troubleshooting history function Get-AdminTSHistoryPath { return "${env:localappdata}\elevateddiagnostics" } # Function to get user report folder path function Get-UserReportPath { return "${env:localappdata}\Microsoft\Windows\WER\ReportQueue" } # Function to get system report folder path function Get-MachineReportPath { return "${env:AllUsersProfile}\Microsoft\Windows\WER\ReportQueue" } # Function to get threshold to check whether a folder is old function Get-ThresholdForCheckOlderFile { [int]$threshold = -1 return $threshold } # Function to get threshold for deleting WER folder function Get-ThresholdForFileDeleting() { [string]$registryEntryPath = "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" [string]$registryEntryName = "PurgeThreshholdValueInKB" [double]$defaultValue = 10.0 return Get-RegistryValue $registryEntryPath $registryEntryName $defaultValue } # Function to get the size of a directory in kb function Get-FolderSize([string]$folder = $(throw "No folder is specified")) { if([String]::IsNullOrEmpty($folder) -or (-not(Test-Path $folder))) { return 0 } if(-not $Global:DirectoryObject) { $Global:DirectoryObject = New-Object -comobject "Scripting.FileSystemObject" } return ($Global:DirectoryObject.GetFolder($folder).Size) / 1kb } # Function to delete a folder function Delete-Folder([string]$folder = $(throw "No folder is specified")) { if([String]::IsNullOrEmpty($folder) -or (-not(Test-Path $folder))) { return } Remove-Item -literalPath $folder -Recurse -Force } # Function to delete old folders function Delete-OldFolders($folder=$(throw "No folder is specified")) { if(($folder -eq $null) -or (-not(Test-Path $folder))) { return } [int]$threshold = Get-ThresholdForCheckOlderFile $folders = Get-ChildItem -LiteralPath ($folder.FullName) -Force | Where-Object {$_.PSIsContainer} if($folders -ne $null) { foreach($folder in $folders) { if((($folder.CreationTime).CompareTo((Get-Date).AddMonths($threshold))) -lt 0) { Delete-Folder ($folder.FullName) } else { Delete-OldFolders (Get-Item ($folder.FullName)) } } } } # Function to get registry value function Get-RegistryValue([string]$registryEntryPath = $(throw "No registry entry path is specified"), [string]$registryEntryName = $(throw "No registry entry name is specified"), [double]$defaultValue = 0.0) { [double]$registryEntryValue = $defaultValue $registryEntry = Get-ItemProperty -Path $registryEntryPath -Name $registryEntryName if($registryEntry -ne $null) { $registryEntryValue = $registryEntry.$registryEntryName } return $registryEntryValue } # Function to get the

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\kAozQG.exeReversingLabs: Detection: 19%
        Multi AV Scanner detection for submitted fileShow sources
        Source: TT COPY pdf.exeReversingLabs: Detection: 19%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\kAozQG.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: TT COPY pdf.exeJoe Sandbox ML: detected
        Source: 7.2.TT COPY pdf.exe.58e0000.10.unpackAvira: Label: TR/NanoCore.fadte
        Source: 7.2.TT COPY pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: TT COPY pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: TT COPY pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdblt source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
        Source: Binary string: System.pdb source: TT COPY pdf.exe, 00000007.00000002.523246225.0000000006400000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 23.105.131.171:4040
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 23.105.131.171:4040
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 23.105.131.171:4040
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 23.105.131.171:4040
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49752 -> 23.105.131.171:4040
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 23.105.131.171
        Source: global trafficTCP traffic: 192.168.2.5:49719 -> 23.105.131.171:4040
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
        Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02734EB0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027347D0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02735478
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02731A07
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02736298
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02736289
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02731BA7
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027398D8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02731943
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02731948
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02735EF0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02735EE3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02734EA3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02734EAB
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027347C3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02736476
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0273546B
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0298E6C0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0298C3B4
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0298E6B0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B765E8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B78578
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B77728
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B73690
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7F3B8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B743E0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B76DA0
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7B948
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7F850
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B765E3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B76526
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B78573
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B794B3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B794B8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B77719
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7A718
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7A709
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7A370
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7A36B
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B76D90
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7ADC3
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7ADC8
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 7_2_02E5E480
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 7_2_02E5E471
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 7_2_02E5BBD4
        Source: TT COPY pdf.exeBinary or memory string: OriginalFilename vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.271275533.000000000BD50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.271449833.000000000BE50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.271449833.000000000BE50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000000.00000002.270925129.0000000005B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs TT COPY pdf.exe
        Source: TT COPY pdf.exeBinary or memory string: OriginalFilename vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs TT COPY pdf.exe
        Source: TT COPY pdf.exeBinary or memory string: OriginalFilenameEventTags.exe< vs TT COPY pdf.exe
        Source: TT COPY pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: TT COPY pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: kAozQG.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/6@0/1
        Source: C:\Users\user\Desktop\TT COPY pdf.exeFile created: C:\Users\user\AppData\Roaming\kAozQG.exeJump to behavior
        Source: C:\Users\user\Desktop\TT COPY pdf.exeMutant created: \Sessions\1\BaseNamedObjects\gqxHOc
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
        Source: C:\Users\user\Desktop\TT COPY pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{97a824b7-e666-4a22-b2e3-fb501d91b8df}
        Source: C:\Users\user\Desktop\TT COPY pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2D06.tmpJump to behavior
        Source: TT COPY pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\TT COPY pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\TT COPY pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\TT COPY pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\TT COPY pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
        Source: TT COPY pdf.exeReversingLabs: Detection: 19%
        Source: C:\Users\user\Desktop\TT COPY pdf.exeFile read: C:\Users\user\Desktop\TT COPY pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\TT COPY pdf.exe 'C:\Users\user\Desktop\TT COPY pdf.exe'
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe
        Source: C:\Users\user\Desktop\TT COPY pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\TT COPY pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: TT COPY pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: TT COPY pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdblt source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
        Source: Binary string: System.pdb source: TT COPY pdf.exe, 00000007.00000002.523246225.0000000006400000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_02731FAC push eax; ret
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_027314CB pushad ; ret
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0273054A push ecx; ret
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7856B push cs; ret
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B79763 push ss; ret
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B79761 push ss; ret
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B771AB push es; ret
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B78278 push esi; retf
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7826E push esi; retf
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B7BFED pushfd ; iretd
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B76FC1 push es; ret
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_05B77F23 pushfd ; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.69430817012
        Source: initial sampleStatic PE information: section name: .text entropy: 7.69430817012
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\TT COPY pdf.exeFile created: C:\Users\user\AppData\Roaming\kAozQG.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\TT COPY pdf.exeFile opened: C:\Users\user\Desktop\TT COPY pdf.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TT COPY pdf.exe PID: 5640, type: MEMORY
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.29fedec.1.raw.unpack, type: UNPACKEDPE
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\TT COPY pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\TT COPY pdf.exeCode function: 0_2_0298B2D8 smsw word ptr [ecx+039D3E38h]
        Source: C:\Users\user\Desktop\TT COPY pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\TT COPY pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\TT COPY pdf.exeWindow / User API: threadDelayed 2509
        Source: C:\Users\user\Desktop\TT COPY pdf.exeWindow / User API: threadDelayed 7004
        Source: C:\Users\user\Desktop\TT COPY pdf.exeWindow / User API: foregroundWindowGot 958
        Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 4660Thread sleep time: -103771s >= -30000s
        Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 5524Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 6368Thread sleep time: -15679732462653109s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\TT COPY pdf.exeThread delayed: delay time: 103771
        Source: C:\Users\user\Desktop\TT COPY pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\TT COPY pdf.exeThread delayed: delay time: 922337203685477
        Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: TT COPY pdf.exe, 00000007.00000002.517304669.0000000000E6E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\TT COPY pdf.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\TT COPY pdf.exeMemory written: C:\Users\user\Desktop\TT COPY pdf.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'
        Source: C:\Users\user\Desktop\TT COPY pdf.exeProcess created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe
        Source: TT COPY pdf.exe, 00000007.00000002.519279220.000000000311D000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: TT COPY pdf.exe, 00000007.00000002.518432727.0000000002F7B000.00000004.00000001.sdmpBinary or memory string: Program Manager|$_
        Source: TT COPY pdf.exe, 00000007.00000002.523210502.00000000062FE000.00000004.00000001.sdmpBinary or memory string: lProgram Manager
        Source: TT COPY pdf.exe, 00000007.00000002.518618473.0000000002FBB000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Users\user\Desktop\TT COPY pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Users\user\Desktop\TT COPY pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\TT COPY pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Security Software Discovery211Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion41Security Account ManagerVirtualization/Sandbox Evasion41SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        TT COPY pdf.exe19%ReversingLabsWin32.Trojan.AgentTesla
        TT COPY pdf.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\kAozQG.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\kAozQG.exe19%ReversingLabsWin32.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        7.2.TT COPY pdf.exe.58e0000.10.unpack100%AviraTR/NanoCore.fadteDownload File
        7.2.TT COPY pdf.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        23.105.131.1710%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        		low
        23.105.131.171true
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpfalse
          		high
          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssTT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmpfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            23.105.131.171
            		unknownUnited States
            		396362LEASEWEB-USA-NYC-11UStrue

            General Information

            Joe Sandbox Version:32.0.0 Black Diamond
            Analysis ID:402887
            Start date:03.05.2021
            Start time:15:23:19
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 57s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:TT COPY pdf.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:29
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@6/6@0/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 0.1% (good quality ratio 0.1%)
            • Quality average: 77.5%
            • Quality standard deviation: 11.1%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            Errors:
            • Sigma runtime error: Invalid condition: true && ! filter Rule: System File Execution Location Anomaly
            • Sigma runtime error: Invalid condition: ( false && ! false ) or Rule: Executable Used by PlugX in Uncommon Location
            • Sigma syntax error: Rules are missing titles
            • Sigma runtime error: Invalid condition: false && true or Rule: Suspicious WMI Execution
            • Sigma runtime error: Invalid condition: not false && false Rule: Using SettingSyncHost.exe as LOLBin
            • Sigma runtime error: Invalid condition: not true && false Rule: Using SettingSyncHost.exe as LOLBin
            • Sigma runtime error: Invalid condition: false || (selection_wevtutil_binary && selection_wevtutil_command) Rule: Suspicious Eventlog Clear or Configuration Using Wevtutil
            • Sigma runtime error: Invalid condition: false && false or Rule: Suspicious WMI Execution

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:24:22API Interceptor1008x Sleep call for process: TT COPY pdf.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            23.105.131.171transfer pdf.exeGet hashmaliciousBrowse
              DHLAWB# 9284880911 pdf.exeGet hashmaliciousBrowse

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                LEASEWEB-USA-NYC-11UStransfer pdf.exeGet hashmaliciousBrowse
                • 23.105.131.171
                DHLAWB# 9284880911 pdf.exeGet hashmaliciousBrowse
                • 23.105.131.171
                PO.pdf.exeGet hashmaliciousBrowse
                • 23.105.131.190
                PO.pdf.exeGet hashmaliciousBrowse
                • 23.105.131.161
                PO.pdf.exeGet hashmaliciousBrowse
                • 23.105.131.161
                SecuriteInfo.com.Trojan.Win32.Save.a.29244.exeGet hashmaliciousBrowse
                • 23.105.131.161
                ZBgnuLqtOd.exeGet hashmaliciousBrowse
                • 23.105.131.161
                ZE9u48l6N4.exeGet hashmaliciousBrowse
                • 23.105.131.161
                PO copy.pdf.exeGet hashmaliciousBrowse
                • 23.105.131.161
                invoice&packing list.pdf.exeGet hashmaliciousBrowse
                • 23.105.131.161
                PO.PDF.exeGet hashmaliciousBrowse
                • 23.105.131.161
                PO copy.pdf.exeGet hashmaliciousBrowse
                • 23.105.131.161
                Ordem urgente AWB674653783- FF2453,PDF.exeGet hashmaliciousBrowse
                • 23.105.131.132
                Remittance FormDoc.exeGet hashmaliciousBrowse
                • 23.19.227.243
                Presupuesto de orden urgente KTX88467638,pdf.exeGet hashmaliciousBrowse
                • 23.105.131.132
                Dringende Bestellung Zitat CTX88467638,pdf.exeGet hashmaliciousBrowse
                • 23.105.131.132
                shipping document.exeGet hashmaliciousBrowse
                • 23.105.131.207
                6V9espP5wD.exeGet hashmaliciousBrowse
                • 23.105.131.195
                NVAbIqNO9h.exeGet hashmaliciousBrowse
                • 23.105.131.209
                UUGCfhIdFD.exeGet hashmaliciousBrowse
                • 23.105.131.228

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT COPY pdf.exe.log
                Process:C:\Users\user\Desktop\TT COPY pdf.exe
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):1216
                Entropy (8bit):5.355304211458859
                Encrypted:false
                SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                MD5:69206D3AF7D6EFD08F4B4726998856D3
                SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                Malicious:true
                Reputation:moderate, very likely benign file
                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                C:\Users\user\AppData\Local\Temp\tmp2D06.tmp
                Process:C:\Users\user\Desktop\TT COPY pdf.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1643
                Entropy (8bit):5.172308050226336
                Encrypted:false
                SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBdYtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3q
                MD5:92AE123C43B9118A157C6477DE51F190
                SHA1:BD3D84B3C0ABF082DD803ACE91AD9F95EAA170BF
                SHA-256:4FFAFB8ABE72A998C286BFAFB3288EC2CFD1F5029DE737FE298015B781F95FF0
                SHA-512:BB94339B70FF6CE7FDD060A00DB5966162053DE2858D5206F9F1BE5F5A224410DF6987198507439ACDACAC582431867942372EB24FB8E9AC05E9CEB8FA580F35
                Malicious:true
                Reputation:low
                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                Process:C:\Users\user\Desktop\TT COPY pdf.exe
                File Type:data
                Category:dropped
                Size (bytes):928
                Entropy (8bit):7.024371743172393
                Encrypted:false
                SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
                MD5:CCB690520E68EE385ACC0ACFE759AFFC
                SHA1:33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
                SHA-256:166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
                SHA-512:AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
                Malicious:false
                Reputation:low
                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                Process:C:\Users\user\Desktop\TT COPY pdf.exe
                File Type:data
                Category:dropped
                Size (bytes):8
                Entropy (8bit):3.0
                Encrypted:false
                SSDEEP:3:r8:r8
                MD5:2DEDC34235C5260F4D29ECFE8E9F7C2B
                SHA1:3C68D1B9BD902EF465531028D4A212CC2D45D0EF
                SHA-256:51F73BE61DCC9973EDA643C38632AA52C5E8E63391050625D4CB5CC9789A2A01
                SHA-512:A92A0A52162300C3EAB9F971481DA753E1E8DA7845DBCF937C05C93943B815688CED61FCB77795DE1308EE1CB6C352AD51D1CABCD26A83154B81933C42313C02
                Malicious:true
                Reputation:low
                Preview: ...7...H
                C:\Users\user\AppData\Roaming\kAozQG.exe
                Process:C:\Users\user\Desktop\TT COPY pdf.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):906752
                Entropy (8bit):7.6609636801645715
                Encrypted:false
                SSDEEP:24576:Dg1zTaZViWg3XO7OJYidZ7x0oTSZikoIErs:DS/aZVHoXO72h0odgErs
                MD5:5C59C6FB72B449BD3E52B628C7C46002
                SHA1:85974547F519BABCDD3F8D5A68BA18930F09D46D
                SHA-256:0B39F5E8244F6D24DBF99914E31907F8E560C6612544A692EC97480C5C9FE371
                SHA-512:8C4B83A321E0AF75E9F3C77A10D41E005401E6747A92BBF3F251B76663267D5A6C917801AA791AF964DDB0F5740735CFBFD71BBA1A4E91DFCEDE3B132A9750FA
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 19%
                Reputation:low
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[.`..............P..x...\........... ........@.. ....................... ............@.....................................O........Y........................................................................... ............... ..H............text....w... ...x.................. ..`.rsrc....Y.......Z...z..............@..@.reloc..............................@..B........................H.........................................................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r7..p~....o-...(......t$....+..*...0..&........(....rE..p~....o-...(......
                C:\Users\user\AppData\Roaming\kAozQG.exe:Zone.Identifier
                Process:C:\Users\user\Desktop\TT COPY pdf.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Reputation:high, very likely benign file
                Preview: [ZoneTransfer]....ZoneId=0

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.6609636801645715
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:TT COPY pdf.exe
                File size:906752
                MD5:5c59c6fb72b449bd3e52b628c7c46002
                SHA1:85974547f519babcdd3f8d5a68ba18930f09d46d
                SHA256:0b39f5e8244f6d24dbf99914e31907f8e560c6612544a692ec97480c5c9fe371
                SHA512:8c4b83a321e0af75e9f3c77a10d41e005401e6747a92bbf3f251b76663267d5a6c917801aa791af964ddb0f5740735cfbfd71bba1a4e91dfcede3b132a9750fa
                SSDEEP:24576:Dg1zTaZViWg3XO7OJYidZ7x0oTSZikoIErs:DS/aZVHoXO72h0odgErs
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..`..............P..x...\........... ........@.. ....................... ............@................................

                File Icon

                Icon Hash:1d1949485b2d1e1e

                Static PE Info

                General

                Entrypoint:0x4d9712
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x608FF45B [Mon May 3 13:02:19 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v4.0.30319
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xd96c00x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xda0000x598c.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe00000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000xd77180xd7800False0.849151682135data7.69430817012IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rsrc0xda0000x598c0x5a00False0.353776041667data4.54268336105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xe00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0xda1600x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294901502
                RT_ICON0xdb2080x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
                RT_GROUP_ICON0xdf4300x22data
                RT_VERSION0xdf4540x34cdata
                RT_MANIFEST0xdf7a00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Version Infos

                DescriptionData
                Translation0x0000 0x04b0
                LegalCopyrightCopyright 2009 - 2021
                Assembly Version1.0.5.0
                InternalNameEventTags.exe
                FileVersion1.0.5.0
                CompanyNameCendario
                LegalTrademarks
                Comments
                ProductNameForge Templer
                ProductVersion1.0.5.0
                FileDescriptionForge Templer
                OriginalFilenameEventTags.exe

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                05/03/21-15:24:30.918264TCP2025019ET TROJAN Possible NanoCore C2 60B497194040192.168.2.523.105.131.171
                05/03/21-15:24:38.891607TCP2025019ET TROJAN Possible NanoCore C2 60B497204040192.168.2.523.105.131.171
                05/03/21-15:24:45.893883TCP2025019ET TROJAN Possible NanoCore C2 60B497214040192.168.2.523.105.131.171
                05/03/21-15:24:52.914072TCP2025019ET TROJAN Possible NanoCore C2 60B497244040192.168.2.523.105.131.171
                05/03/21-15:26:29.950949TCP2025019ET TROJAN Possible NanoCore C2 60B497524040192.168.2.523.105.131.171

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                May 3, 2021 15:24:30.503123045 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:30.833909988 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:30.834101915 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:30.918263912 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:31.262438059 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:31.390827894 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:31.720134020 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:31.767025948 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:31.797579050 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.228486061 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.228569984 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.228790998 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.229001999 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.229042053 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.229078054 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.230318069 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.230395079 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.230513096 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.230573893 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.230597973 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.230659008 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.231997013 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.232072115 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.232079029 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.232145071 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.233521938 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.233561039 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.233608007 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.233633995 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.565164089 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.566549063 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.566694021 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.566776991 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.568584919 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.568681002 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.568696022 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.569204092 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.569262028 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.569305897 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.569802999 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.569946051 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.571118116 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.571337938 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.571425915 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.572271109 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.572540998 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.572628975 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.590037107 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.590208054 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.590271950 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.590358019 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.590512991 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.590646982 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.597157001 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.597269058 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.597349882 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.598556042 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.598632097 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.598702908 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.815001965 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.902785063 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.902865887 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.903785944 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.903841972 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.904007912 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.904066086 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.904623032 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.904685974 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.914709091 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.914766073 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.914891958 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.914963961 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.915288925 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.915338039 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.915934086 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.915982962 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.916174889 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.916230917 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.916404009 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.916452885 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.916769981 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.916840076 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.916882992 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.916929007 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.917529106 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.917582989 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.918248892 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.918337107 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.918483019 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.918533087 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.918927908 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.918986082 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.919127941 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.919198036 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.920212030 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.920274973 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.920568943 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.920620918 CEST497194040192.168.2.523.105.131.171
                May 3, 2021 15:24:32.921133041 CEST40404971923.105.131.171192.168.2.5
                May 3, 2021 15:24:32.921190023 CEST497194040192.168.2.523.105.131.171

                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: TT COPY pdf.exe PID: 5640 Parent PID: 5680

                General

                Start time:15:24:21
                Start date:03/05/2021
                Path:C:\Users\user\Desktop\TT COPY pdf.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\TT COPY pdf.exe'
                Imagebase:0x520000
                File size:906752 bytes
                MD5 hash:5C59C6FB72B449BD3E52B628C7C46002
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: schtasks.exe PID: 6160 Parent PID: 5640

                General

                Start time:15:24:25
                Start date:03/05/2021
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'
                Imagebase:0xda0000
                File size:185856 bytes
                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: conhost.exe PID: 6176 Parent PID: 6160

                General

                Start time:15:24:26
                Start date:03/05/2021
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7ecfc0000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: TT COPY pdf.exe PID: 6240 Parent PID: 5640

                General

                Start time:15:24:26
                Start date:03/05/2021
                Path:C:\Users\user\Desktop\TT COPY pdf.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\TT COPY pdf.exe
                Imagebase:0x8d0000
                File size:906752 bytes
                MD5 hash:5C59C6FB72B449BD3E52B628C7C46002
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                Reputation:low

                Disassembly

                Code Analysis

                Reset < >