Loading ...

Play interactive tourEdit tour

Analysis Report 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe

Overview

General Information

Sample Name:741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Analysis ID:403532
MD5:cdda16bd52c7c602b534593be9149a42
SHA1:5789cb8b8b1493de3733c66cd52d8b0180be6cd4
SHA256:741b26251fa1fba9c4d5eb7aaca544f07859f82c296b8c01d2339a4ea2d06c58
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe (PID: 6180 cmdline: 'C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe' MD5: CDDA16BD52C7C602B534593BE9149A42)
    • powershell.exe (PID: 6356 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6412 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gKpxRZsP' /XML 'C:\Users\user\AppData\Local\Temp\tmp30C2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6528 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gKpxRZsP.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6556 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 6696 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB146.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6756 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB52F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 6856 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6872 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5732 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "caa6fa7a-f28b-4f9f-9a4a-ce9e5290", "Group": "ONEZERO", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.40", "Port": 48154, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x13a95:$a: NanoCore
    • 0x13aee:$a: NanoCore
    • 0x13b2b:$a: NanoCore
    • 0x13ba4:$a: NanoCore
    • 0x19139:$a: NanoCore
    • 0x19183:$a: NanoCore
    • 0x1936d:$a: NanoCore
    • 0x2cc8c:$a: NanoCore
    • 0x2cca1:$a: NanoCore
    • 0x2ccd6:$a: NanoCore
    • 0x45c2b:$a: NanoCore
    • 0x45c40:$a: NanoCore
    • 0x45c75:$a: NanoCore
    • 0x13af7:$b: ClientPlugin
    • 0x13b34:$b: ClientPlugin
    • 0x14432:$b: ClientPlugin
    • 0x1443f:$b: ClientPlugin
    • 0x18ed2:$b: ClientPlugin
    • 0x19142:$b: ClientPlugin
    • 0x1918c:$b: ClientPlugin
    • 0x2ca48:$b: ClientPlugin
    00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000008.00000002.513739140.0000000006030000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1646:$x1: NanoCore.ClientPluginHost
      00000008.00000002.513739140.0000000006030000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x1646:$x2: NanoCore.ClientPluginHost
      • 0x1724:$s4: PipeCreated
      • 0x1660:$s5: IClientLoggingHost
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.RegSvcs.exe.435ecb6.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0x6483:$x1: NanoCore.ClientPluginHost
      • 0x1a020:$x1: NanoCore.ClientPluginHost
      • 0x32fbf:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      • 0x1a04d:$x2: IClientNetworkHost
      • 0x32fec:$x2: IClientNetworkHost
      8.2.RegSvcs.exe.435ecb6.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x6483:$x2: NanoCore.ClientPluginHost
      • 0x1a020:$x2: NanoCore.ClientPluginHost
      • 0x32fbf:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0x6561:$s4: PipeCreated
      • 0x1b0fb:$s4: PipeCreated
      • 0x3409a:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      • 0x649d:$s5: IClientLoggingHost
      • 0x1a03a:$s5: IClientLoggingHost
      • 0x32fd9:$s5: IClientLoggingHost
      8.2.RegSvcs.exe.435ecb6.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        8.2.RegSvcs.exe.435ecb6.3.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xddf:$a: NanoCore
        • 0xe38:$a: NanoCore
        • 0xe75:$a: NanoCore
        • 0xeee:$a: NanoCore
        • 0x6483:$a: NanoCore
        • 0x64cd:$a: NanoCore
        • 0x66b7:$a: NanoCore
        • 0x19fd6:$a: NanoCore
        • 0x19feb:$a: NanoCore
        • 0x1a020:$a: NanoCore
        • 0x32f75:$a: NanoCore
        • 0x32f8a:$a: NanoCore
        • 0x32fbf:$a: NanoCore
        • 0xe41:$b: ClientPlugin
        • 0xe7e:$b: ClientPlugin
        • 0x177c:$b: ClientPlugin
        • 0x1789:$b: ClientPlugin
        • 0x621c:$b: ClientPlugin
        • 0x648c:$b: ClientPlugin
        • 0x64d6:$b: ClientPlugin
        • 0x19d92:$b: ClientPlugin
        8.2.RegSvcs.exe.3321364.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x40c2:$x1: NanoCore.ClientPluginHost
        Click to see the 42 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6556, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gKpxRZsP' /XML 'C:\Users\user\AppData\Local\Temp\tmp30C2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gKpxRZsP' /XML 'C:\Users\user\AppData\Local\Temp\tmp30C2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe' , ParentImage: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, ParentProcessId: 6180, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gKpxRZsP' /XML 'C:\Users\user\AppData\Local\Temp\tmp30C2.tmp', ProcessId: 6412

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "caa6fa7a-f28b-4f9f-9a4a-ce9e5290", "Group": "ONEZERO", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.40", "Port": 48154, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: strongodss.ddns.netVirustotal: Detection: 8%Perma Link
        Source: 79.134.225.40Virustotal: Detection: 6%Perma Link
        Source: strongodss.ddns.netVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\gKpxRZsP.exeMetadefender: Detection: 21%Perma Link
        Source: C:\Users\user\AppData\Roaming\gKpxRZsP.exeReversingLabs: Detection: 72%
        Multi AV Scanner detection for submitted fileShow sources
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeVirustotal: Detection: 59%Perma Link
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeMetadefender: Detection: 21%Perma Link
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeReversingLabs: Detection: 72%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORY
        Source: Yara matchFile source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\gKpxRZsP.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeJoe Sandbox ML: detected
        Source: 8.2.RegSvcs.exe.6040000.10.unpackAvira: Label: TR/NanoCore.fadte
        Source: 8.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.506819869.0000000002EB5000.00000004.00000040.sdmp
        Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000D.00000002.261639651.00000000051A0000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.277252433.0000000004B60000.00000002.00000001.sdmp
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000008.00000002.506819869.0000000002EB5000.00000004.00000040.sdmp
        Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.506819869.0000000002EB5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.506819869.0000000002EB5000.00000004.00000040.sdmp
        Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
        Source: Binary string: mscorrc.pdb source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.249624796.00000000056A0000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.513520792.0000000005D40000.00000002.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.262132674.0000000005250000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.273411425.0000000004D90000.00000002.00000001.sdmp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then mov esp, ebp8_2_05548810

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 79.134.225.40
        Source: Malware configuration extractorURLs: strongodss.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: strongodss.ddns.net
        Source: global trafficTCP traffic: 192.168.2.5:49706 -> 79.134.225.82:48154
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 79.134.225.40:48154
        Source: Joe Sandbox ViewIP Address: 79.134.225.40 79.134.225.40
        Source: Joe Sandbox ViewIP Address: 79.134.225.82 79.134.225.82
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.40
        Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
        Source: powershell.exe, 00000006.00000003.352217202.0000000009532000.00000004.00000001.sdmpString found in binary or memory: http://crl.mi
        Source: powershell.exe, 00000002.00000003.318477069.0000000005695000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.243399430.000000000142B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: RegSvcs.exe, 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORY
        Source: Yara matchFile source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.513739140.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.RegSvcs.exe.3321364.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.435ecb6.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.33261e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.RegSvcs.exe.5da0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.6030000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.3321364.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_016C34D2 NtQuerySystemInformation,0_2_016C34D2
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_016C3498 NtQuerySystemInformation,0_2_016C3498
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_0566178E NtQuerySystemInformation,8_2_0566178E
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_05661753 NtQuerySystemInformation,8_2_05661753
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_00C278040_2_00C27804
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_01680A990_2_01680A99
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_01681CE00_2_01681CE0
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_01680AEA0_2_01680AEA
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_01681D880_2_01681D88
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_016844270_2_01684427
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_016844380_2_01684438
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_05548D688_2_05548D68
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_055499688_2_05549968
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_055438508_2_05543850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_055423A08_2_055423A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_05542FA88_2_05542FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_0554B6388_2_0554B638
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_0554306F8_2_0554306F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_0554A2108_2_0554A210
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_05549A2F8_2_05549A2F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 13_2_02B5070913_2_02B50709
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0262070015_2_02620700
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.242921492.0000000000CE4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapYearMonth.exeN vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.247122126.0000000004341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDebuggerHiddenAttribute.dllX vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.250794743.0000000006330000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.249575124.0000000005680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDurmu_ vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.243399430.000000000142B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.251726911.0000000006430000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.251726911.0000000006430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.249624796.00000000056A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeBinary or memory string: OriginalFilenameSoapYearMonth.exeN vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
        Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.513739140.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.513739140.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.RegSvcs.exe.3321364.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.3321364.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.435ecb6.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.435ecb6.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.33261e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.33261e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.RegSvcs.exe.5da0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.5da0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.6030000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.6030000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.3321364.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.3321364.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@24/24@9/2
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_016C3402 AdjustTokenPrivileges,0_2_016C3402
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeCode function: 0_2_016C33CB AdjustTokenPrivileges,0_2_016C33CB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_0566154E AdjustTokenPrivileges,8_2_0566154E
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_05661517 AdjustTokenPrivileges,8_2_05661517
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeFile created: C:\Users\user\AppData\Roaming\gKpxRZsP.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{caa6fa7a-f28b-4f9f-9a4a-ce9e52900e9d}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_01
        Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exeMutant created: \Sessions\1\BaseNamedObjects\TfLSqZmwSYpyY
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions