Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Documents Original BL, Invoice & Pa.exe

Overview

General Information

Sample Name:Shipping Documents Original BL, Invoice & Pa.exe
Analysis ID:403691
MD5:b89d3e7dd6ee20a09506365497f6cc3a
SHA1:d5a40ae65560da802d5c5135d024d5fa8e840ff4
SHA256:c2af0dcf4558a32fde15405648d8dd6410c51d319812755fcb8e4f742723bad7
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

DLL reload attack detected
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Shipping Documents Original BL, Invoice & Pa.exe (PID: 5936 cmdline: 'C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe' MD5: B89D3E7DD6EE20A09506365497F6CC3A)
    • MSBuild.exe (PID: 5764 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
      • schtasks.exe (PID: 5792 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1680 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF909.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 1556 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 980 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 4116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5728 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 4804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "692d457c-2b26-4af6-a5f8-088a1838", "Group": "Default", "Domain1": "", "Domain2": "172.93.166.26", "Port": 4090, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x11fe0d:$x1: NanoCore.ClientPluginHost
  • 0x15282d:$x1: NanoCore.ClientPluginHost
  • 0x11fe4a:$x2: IClientNetworkHost
  • 0x15286a:$x2: IClientNetworkHost
  • 0x12397d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x15639d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x11fb75:$a: NanoCore
    • 0x11fb85:$a: NanoCore
    • 0x11fdb9:$a: NanoCore
    • 0x11fdcd:$a: NanoCore
    • 0x11fe0d:$a: NanoCore
    • 0x152595:$a: NanoCore
    • 0x1525a5:$a: NanoCore
    • 0x1527d9:$a: NanoCore
    • 0x1527ed:$a: NanoCore
    • 0x15282d:$a: NanoCore
    • 0x11fbd4:$b: ClientPlugin
    • 0x11fdd6:$b: ClientPlugin
    • 0x11fe16:$b: ClientPlugin
    • 0x1525f4:$b: ClientPlugin
    • 0x1527f6:$b: ClientPlugin
    • 0x152836:$b: ClientPlugin
    • 0x11fcfb:$c: ProjectData
    • 0x15271b:$c: ProjectData
    • 0x272bb6:$c: ProjectData
    • 0x2f4bd6:$c: ProjectData
    • 0x120702:$d: DESCrypto
    00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x30800:$x1: NanoCore.ClientPluginHost
      • 0x4f2a6:$x1: NanoCore.ClientPluginHost
      • 0x30861:$x2: IClientNetworkHost
      • 0x4f307:$x2: IClientNetworkHost
      • 0x35c66:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x43bd8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x5470c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x6267e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 3 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x42bad:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x42bea:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        • 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 2 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: System File Execution Location AnomalyShow sources
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp', ParentImage: C:\Windows\SysWOW64\schtasks.exe, ParentProcessId: 5792, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5788
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe' , ParentImage: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe, ParentProcessId: 5936, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764

        Persistence and Installation Behavior:

        barindex
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 5764, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp', ProcessId: 5792

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "692d457c-2b26-4af6-a5f8-088a1838", "Group": "Default", "Domain1": "", "Domain2": "172.93.166.26", "Port": 4090, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORY
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: Shipping Documents Original BL, Invoice & Pa.exeJoe Sandbox ML: detected
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
        Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.dr
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4B700
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4CFA0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4DCA0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4DB60
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4DAA0

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49722 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49723 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49724 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49726 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49727 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49728 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49730 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49731 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49732 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49733 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49734 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49735 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49737 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49738 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 172.93.166.26:4090
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 172.93.166.26
        Source: Joe Sandbox ViewASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.209
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670534502.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.654396019.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/type
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Shipping Documents Original BL, Invoice & Pa.exeString found in binary or memory: http://www.churchsw.org/church-projector-project
        Source: Shipping Documents Original BL, Invoice & Pa.exeString found in binary or memory: http://www.churchsw.org/repository/Bibles/
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670478696.0000000001520000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.655221857.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.656756517.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.656074649.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html8
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670478696.0000000001520000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.651499309.000000000600B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.653276119.0000000006005000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.659032488.0000000005FFB000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.658535409.0000000005FFC000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr0I
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krK
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krr
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.660037136.0000000006025000.00000004.00000001.sdmpString found in binary or memory: http://www.monot.
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr.
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-d
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krcom
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kre
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.657239356.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORY
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Shipping Documents Original BL, Invoice & Pa.exe
        Source: initial sampleStatic PE information: Filename: Shipping Documents Original BL, Invoice & Pa.exe
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_014FC2B00_2_014FC2B0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_014F99900_2_014F9990
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A4ACE80_2_07A4ACE8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A4C1380_2_07A4C138
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A457C80_2_07A457C8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A457D80_2_07A457D8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A455200_2_07A45520
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A455100_2_07A45510
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A40BD80_2_07A40BD8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A40B2B0_2_07A40B2B
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A440F80_2_07A440F8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A400070_2_07A40007
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A450680_2_07A45068
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A470680_2_07A47068
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A450780_2_07A45078
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A400400_2_07A40040
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952BBB00_2_0952BBB0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_09528BAA0_2_09528BAA
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_095200400_2_09520040
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952B3F80_2_0952B3F8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952D5900_2_0952D590
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952C6200_2_0952C620
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952F8580_2_0952F858
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952F8680_2_0952F868
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952A8000_2_0952A800
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952FAC00_2_0952FAC0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952FAB10_2_0952FAB1
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_095291A00_2_095291A0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952C0980_2_0952C098
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952C0A00_2_0952C0A0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_095232500_2_09523250
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952E2400_2_0952E240
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952E2310_2_0952E231
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952D55E0_2_0952D55E
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952F6300_2_0952F630
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952F6210_2_0952F621
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE5CF96_2_00BE5CF9
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE21486_2_00BE2148
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE4A206_2_00BE4A20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE21336_2_00BE2133
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE1A406_2_00BE1A40
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC58688_2_00EC5868
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC45808_2_00EC4580
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC21488_2_00EC2148
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC1A408_2_00EC1A40
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC21338_2_00EC2133
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0173237010_2_01732370
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0173520810_2_01735208
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01731A4010_2_01731A40
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Shipping Documents Original BL, Invoice & Pa.exe
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.686876240.0000000009390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Shipping Documents Original BL, Invoice & Pa.exe
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.687212948.0000000009470000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Shipping Documents Original BL, Invoice & Pa.exe
        Source: Shipping Documents Original BL, Invoice & Pa.exeBinary or memory string: OriginalFilenameManifestEnvelope.exeB vs Shipping Documents Original BL, Invoice & Pa.exe
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.1.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Shared/TaskLoader.csTask registration methods: 'CreateTask'
        Source: dhcpmon.exe.1.dr, Microsoft.Build/BackEnd/TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.csTask registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: dhcpmon.exe.1.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: dhcpmon.exe.1.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: dhcpmon.exe.1.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: dhcpmon.exe, 0000000A.00000002.704185808.00000000033C1000.00000004.00000001.sdmpBinary or memory string: l)C:\Program Files (x86)\DHCP Monitor\*.sln
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
        Source: dhcpmon.exe, dhcpmon.exe.1.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
        Source: dhcpmon.exe, 0000000A.00000002.704185808.00000000033C1000.00000004.00000001.sdmpBinary or memory string: *.slnP#
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
        Source: dhcpmon.exe, dhcpmon.exe.1.drBinary or memory string: *.sln
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: /ignoreprojectextensions:.sln
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
        Source: classification engineClassification label: mal100.troj.evad.winEXE@15/14@0/1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents Original BL, Invoice & Pa.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4804:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{692d457c-2b26-4af6-a5f8-088a183828b4}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1492:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4116:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF57E.tmpJump to behavior
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77