Play interactive tour

Edit tour

Analysis Report SYT09009.exe

Overview

General Information

Sample Name:	SYT09009.exe
Analysis ID:	411310
MD5:	fbfddfc110fd9d3775674447316de3d8
SHA1:	250149eebd54c774175cef2a09344cf429ca6f57
SHA256:	b98a4c0f84e431cbff5477f1e1ddfe1a93ba56775148cfca7f061f9beca0e48f
Tags:	NanoCore
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Maps a DLL or memory area into another process

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

SYT09009.exe (PID: 4956 cmdline: 'C:\Users\user\Desktop\SYT09009.exe' MD5: FBFDDFC110FD9D3775674447316DE3D8)

MSBuild.exe (PID: 3332 cmdline: 'C:\Users\user\Desktop\SYT09009.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

schtasks.exe (PID: 4320 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5840 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 5868 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 4440 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 4684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6140 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2dd052c5-2546-4017-851f-7f690b3c", "Group": "Default", "Domain1": "185.222.57.171", "Domain2": "", "Port": 4445, "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d7a:$a: NanoCore 0x1d9f:$a: NanoCore 0x1df8:$a: NanoCore 0x11f95:$a: NanoCore 0x11fbb:$a: NanoCore 0x12017:$a: NanoCore 0x1ee6c:$a: NanoCore 0x1eec5:$a: NanoCore 0x1eef8:$a: NanoCore 0x1f124:$a: NanoCore 0x1f1a0:$a: NanoCore 0x1f7b9:$a: NanoCore 0x1f902:$a: NanoCore 0x1fdd6:$a: NanoCore 0x200bd:$a: NanoCore 0x200d4:$a: NanoCore 0x2345d:$a: NanoCore 0x24817:$a: NanoCore 0x24861:$a: NanoCore 0x254bb:$a: NanoCore 0x2aaa0:$a: NanoCore
00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Process Memory Space: MSBuild.exe PID: 3332	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x554a3:$a: NanoCore 0x554c8:$a: NanoCore 0x55604:$a: NanoCore 0xba891:$a: NanoCore 0x113435:$a: NanoCore 0x11345a:$a: NanoCore 0x113596:$a: NanoCore 0x1baabd:$a: NanoCore 0x1baafa:$a: NanoCore 0x1bab83:$a: NanoCore 0x1bff1b:$a: NanoCore 0x1bff3e:$a: NanoCore 0x1bff93:$a: NanoCore 0x1c53d6:$a: NanoCore 0x1c5414:$a: NanoCore 0x1c54a0:$a: NanoCore 0x1cfe3d:$a: NanoCore 0x1cfe61:$a: NanoCore 0x1cfeb9:$a: NanoCore 0x1d7ad5:$a: NanoCore 0x1d7b76:$a: NanoCore
Process Memory Space: SYT09009.exe PID: 4956	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x127cbb:$x1: NanoCore.ClientPluginHost 0x127d1c:$x2: IClientNetworkHost 0x12d121:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13b093:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: SYT09009.exe PID: 4956	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: SYT09009.exe PID: 4956	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1277c0:$a: NanoCore 0x1277dc:$a: NanoCore 0x127937:$a: NanoCore 0x127946:$a: NanoCore 0x127c1f:$a: NanoCore 0x127c4b:$a: NanoCore 0x127cbb:$a: NanoCore 0x1376fd:$a: NanoCore 0x13770f:$a: NanoCore 0x13774b:$a: NanoCore 0x127867:$b: ClientPlugin 0x127990:$b: ClientPlugin 0x127c54:$b: ClientPlugin 0x127cc4:$b: ClientPlugin 0x137718:$b: ClientPlugin 0x137754:$b: ClientPlugin 0x127add:$c: ProjectData 0x13764a:$c: ProjectData 0x128c19:$d: DESCrypto 0x137fa8:$d: DESCrypto 0x132fa6:$e: KeepAlive
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SYT09009.exe.2450000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SYT09009.exe.2450000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.SYT09009.exe.2450000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SYT09009.exe.2450000.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.3.MSBuild.exe.404c416.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
1.3.MSBuild.exe.404c416.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
1.3.MSBuild.exe.406646f.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3831:$x1: NanoCore.ClientPluginHost 0x386a:$x2: IClientNetworkHost
1.3.MSBuild.exe.406646f.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3831:$x2: NanoCore.ClientPluginHost 0x394c:$s4: PipeCreated 0x384b:$s5: IClientLoggingHost
1.3.MSBuild.exe.4060a41.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x6dd6:$x1: NanoCore.ClientPluginHost 0xd05f:$x1: NanoCore.ClientPluginHost 0x1766e:$x1: NanoCore.ClientPluginHost 0x21a99:$x1: NanoCore.ClientPluginHost 0x2ca76:$x1: NanoCore.ClientPluginHost 0x38818:$x1: NanoCore.ClientPluginHost 0x5d71c:$x1: NanoCore.ClientPluginHost 0x6cb5c:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xd098:$x2: IClientNetworkHost 0x177cb:$x2: IClientNetworkHost 0x21ad2:$x2: IClientNetworkHost 0x2ca90:$x2: IClientNetworkHost 0x38832:$x2: IClientNetworkHost 0x5d736:$x2: IClientNetworkHost 0x6cb99:$x2: IClientNetworkHost
1.3.MSBuild.exe.4060a41.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x6dd6:$x2: NanoCore.ClientPluginHost 0xd05f:$x2: NanoCore.ClientPluginHost 0x1766e:$x2: NanoCore.ClientPluginHost 0x21a99:$x2: NanoCore.ClientPluginHost 0x2ca76:$x2: NanoCore.ClientPluginHost 0x38818:$x2: NanoCore.ClientPluginHost 0x5d71c:$x2: NanoCore.ClientPluginHost 0x6cb5c:$x2: NanoCore.ClientPluginHost 0x185c4:$s3: PipeExists 0x1800:$s4: PipeCreated 0x6eb4:$s4: PipeCreated 0xd17a:$s4: PipeCreated 0x17864:$s4: PipeCreated 0x21be4:$s4: PipeCreated 0x2daab:$s4: PipeCreated 0x3a5c3:$s4: PipeCreated 0x60a59:$s4: PipeCreated 0x6ffaf:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0x6df0:$s5: IClientLoggingHost
1.3.MSBuild.exe.4060a41.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x5a1c:$a: NanoCore 0x6dd6:$a: NanoCore 0x6e20:$a: NanoCore 0x7a7a:$a: NanoCore 0xd05f:$a: NanoCore 0xd0d9:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x21779:$a: NanoCore 0x217da:$a: NanoCore
0.2.SYT09009.exe.2450000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SYT09009.exe.2450000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.SYT09009.exe.2450000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SYT09009.exe.2450000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.3.MSBuild.exe.406646f.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost 0x7631:$x1: NanoCore.ClientPluginHost 0x11c40:$x1: NanoCore.ClientPluginHost 0x1c06b:$x1: NanoCore.ClientPluginHost 0x27048:$x1: NanoCore.ClientPluginHost 0x32dea:$x1: NanoCore.ClientPluginHost 0x57cee:$x1: NanoCore.ClientPluginHost 0x6712e:$x1: NanoCore.ClientPluginHost 0x766a:$x2: IClientNetworkHost 0x11d9d:$x2: IClientNetworkHost 0x1c0a4:$x2: IClientNetworkHost 0x27062:$x2: IClientNetworkHost 0x32e04:$x2: IClientNetworkHost 0x57d08:$x2: IClientNetworkHost 0x6716b:$x2: IClientNetworkHost
1.3.MSBuild.exe.406646f.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x7631:$x2: NanoCore.ClientPluginHost 0x11c40:$x2: NanoCore.ClientPluginHost 0x1c06b:$x2: NanoCore.ClientPluginHost 0x27048:$x2: NanoCore.ClientPluginHost 0x32dea:$x2: NanoCore.ClientPluginHost 0x57cee:$x2: NanoCore.ClientPluginHost 0x6712e:$x2: NanoCore.ClientPluginHost 0x12b96:$s3: PipeExists 0x1486:$s4: PipeCreated 0x774c:$s4: PipeCreated 0x11e36:$s4: PipeCreated 0x1c1b6:$s4: PipeCreated 0x2807d:$s4: PipeCreated 0x34b95:$s4: PipeCreated 0x5b02b:$s4: PipeCreated 0x6a581:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost 0x764b:$s5: IClientLoggingHost 0x11c5a:$s5: IClientLoggingHost 0x1c085:$s5: IClientLoggingHost
1.3.MSBuild.exe.406646f.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0x7631:$a: NanoCore 0x76ab:$a: NanoCore 0x11c40:$a: NanoCore 0x11d2a:$a: NanoCore 0x12ba1:$a: NanoCore 0x1bd4b:$a: NanoCore 0x1bdac:$a: NanoCore 0x1bdef:$a: NanoCore 0x1be2f:$a: NanoCore 0x1c06b:$a: NanoCore 0x1c10b:$a: NanoCore 0x1c8e3:$a: NanoCore 0x1ced6:$a: NanoCore 0x1d027:$a: NanoCore 0x1de81:$a: NanoCore 0x1e0e8:$a: NanoCore 0x1e0fd:$a: NanoCore 0x1e11c:$a: NanoCore
1.3.MSBuild.exe.404c416.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1b401:$x1: NanoCore.ClientPluginHost 0x2168a:$x1: NanoCore.ClientPluginHost 0x2bc99:$x1: NanoCore.ClientPluginHost 0x360c4:$x1: NanoCore.ClientPluginHost 0x410a1:$x1: NanoCore.ClientPluginHost 0x4ce43:$x1: NanoCore.ClientPluginHost 0x71d47:$x1: NanoCore.ClientPluginHost 0x81187:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x216c3:$x2: IClientNetworkHost 0x2bdf6:$x2: IClientNetworkHost 0x360fd:$x2: IClientNetworkHost 0x410bb:$x2: IClientNetworkHost 0x4ce5d:$x2: IClientNetworkHost 0x71d61:$x2: IClientNetworkHost 0x811c4:$x2: IClientNetworkHost
1.3.MSBuild.exe.404c416.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d0e:$x2: NanoCore.ClientPluginHost 0x1b401:$x2: NanoCore.ClientPluginHost 0x2168a:$x2: NanoCore.ClientPluginHost 0x2bc99:$x2: NanoCore.ClientPluginHost 0x360c4:$x2: NanoCore.ClientPluginHost 0x410a1:$x2: NanoCore.ClientPluginHost 0x4ce43:$x2: NanoCore.ClientPluginHost 0x71d47:$x2: NanoCore.ClientPluginHost 0x81187:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x2cbef:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e2b:$s4: PipeCreated 0x1b4df:$s4: PipeCreated 0x217a5:$s4: PipeCreated 0x2be8f:$s4: PipeCreated 0x3620f:$s4: PipeCreated 0x420d6:$s4: PipeCreated 0x4ebee:$s4: PipeCreated 0x75084:$s4: PipeCreated
1.3.MSBuild.exe.404c416.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1a047:$a: NanoCore 0x1b401:$a: NanoCore 0x1b44b:$a: NanoCore 0x1c0a5:$a: NanoCore 0x2168a:$a: NanoCore 0x21704:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
Click to see the 16 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 3332, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.SYT09009.exe.2450000.4.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2dd052c5-2546-4017-851f-7f690b3c", "Group": "Default", "Domain1": "185.222.57.171", "Domain2": "", "Port": 4445, "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll

ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Show sources

Source: SYT09009.exe

ReversingLabs: Detection: 38%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE

Source: SYT09009.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: SYT09009.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SYT09009.exe, 00000000.00000003.243744964.0000000002B40000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SYT09009.exe, 00000000.00000003.243744964.0000000002B40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_004027A1 FindFirstFileA,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49732 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49733 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49743 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49752 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49755 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49756 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49759 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49760 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49761 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49762 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49763 -> 185.222.57.171:4445

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 185.222.57.171

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 185.222.57.171:4445

Source: Joe Sandbox View

IP Address: 185.222.57.171 185.222.57.171

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.102.62
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.102.62
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171

Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: SYT09009.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SYT09009.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49677
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49676
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: C:\Users\user\Desktop\SYT09009.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 3332, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.MSBuild.exe.404c416.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.406646f.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\SYT09009.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_00406945
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_0040711C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 6_2_02E40708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_0074692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00746950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00746D08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_02AC0708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00846D08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00846950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0084692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_02B10708

Source: SYT09009.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SYT09009.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SYT09009.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SYT09009.exe, 00000000.00000003.243093126.0000000002AC6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SYT09009.exe
Source: SYT09009.exe, 00000000.00000002.251037646.0000000002430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SYT09009.exe

Source: SYT09009.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 3332, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.MSBuild.exe.404c416.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.404c416.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.406646f.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.406646f.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: dhcpmon.exe, 0000000C.00000002.274363697.0000000002EB1000.00000004.00000001.sdmp	Binary or memory string: r)C:\Program Files (x86)\DHCP Monitor\.sln
Source: MSBuild.exe, 00000001.00000003.250739424.0000000000CAA000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000000.259152033.0000000000742000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.273453146.0000000000842000.00000002.00020000.sdmp, dhcpmon.exe.1.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000001.00000003.250739424.0000000000CAA000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000000.259152033.0000000000742000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.273453146.0000000000842000.00000002.00020000.sdmp, dhcpmon.exe.1.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
Source: MSBuild.exe, 00000001.00000003.250739424.0000000000CAA000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000000.259152033.0000000000742000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.273453146.0000000000842000.00000002.00020000.sdmp, dhcpmon.exe.1.dr	Binary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
Source: dhcpmon.exe	Binary or memory string: *.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/16@0/1

Source: C:\Users\user\Desktop\SYT09009.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\SYT09009.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2dd052c5-2546-4017-851f-7f690b3c80bf}

Source: C:\Users\user\Desktop\SYT09009.exe

File created: C:\Users\user\AppData\Local\Temp\nsa939E.tmp

Jump to behavior

Source: SYT09009.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\SYT09009.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SYT09009.exe

ReversingLabs: Detection: 38%

Source: C:\Users\user\Desktop\SYT09009.exe

File read: C:\Users\user\Desktop\SYT09009.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SYT09009.exe 'C:\Users\user\Desktop\SYT09009.exe'
Source: C:\Users\user\Desktop\SYT09009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\SYT09009.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SYT09009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\SYT09009.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp'

Source: C:\Users\user\Desktop\SYT09009.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: SYT09009.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SYT09009.exe, 00000000.00000003.243744964.0000000002B40000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SYT09009.exe, 00000000.00000003.243744964.0000000002B40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 6_2_012A292C push cs; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0112271D push cs; ret

Source: C:\Users\user\Desktop\SYT09009.exe	File created: C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\SYT09009.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\SYT09009.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 366
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 654
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 611

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3440	Thread sleep time: -280000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5912	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4488	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_004027A1 FindFirstFileA,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: MSBuild.exe, 00000001.00000003.316218325.0000000000CC5000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_10001110 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_024434C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_024431FE mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\SYT09009.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SYT09009.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 753008

Source: C:\Users\user\Desktop\SYT09009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\SYT09009.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp'

Source: MSBuild.exe, 00000001.00000003.353432362.0000000000D01000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000001.00000003.334314497.0000000000D01000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exeBuild.exe
Source: MSBuild.exe, 00000001.00000003.316218325.0000000000CC5000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exeBuild.exe43

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation

Source: C:\Users\user\Desktop\SYT09009.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: SYT09009.exe, 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection212	Disable or Modify Tools1	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Virtualization/Sandbox Evasion31	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection212	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	System Information Discovery14	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SYT09009.exe	38%	ReversingLabs	Win32.Trojan.SpyNoon

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll	11%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.SYT09009.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File
0.0.SYT09009.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
185.222.57.171	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
185.222.57.171	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	SYT09009.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	SYT09009.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.57.171	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411310
Start date:	11.05.2021
Start time:	19:39:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SYT09009.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/16@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 26% (good quality ratio 24.6%) Quality average: 82.3% Quality standard deviation: 27.1%
HCA Information:	Successful, ratio: 79% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.255.188.83, 23.57.81.29, 92.122.145.220, 40.88.32.150, 23.57.80.111, 20.82.210.154, 92.122.213.194, 92.122.213.247, 2.20.143.16, 2.20.142.209, 51.103.5.186, 20.54.26.129, 52.155.217.156, 20.82.209.183 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/411310/sample/SYT09009.exe

Simulations

Behavior and APIs

Time	Type	Description
19:40:57	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
19:40:58	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" s>$(Arg0)
19:40:58	API Interceptor	968x Sleep call for process: MSBuild.exe modified
19:41:00	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.222.57.171	EyOVPbKPk5.exe	Get hash	malicious	Browse
	AS90800009000000.exe	Get hash	malicious	Browse
	090090000000.exe	Get hash	malicious	Browse
	fatura 893454.pdf.exe	Get hash	malicious	Browse
	0997430988.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ROOTLAYERNETNL	shipment documents.jar	Get hash	malicious	Browse	185.222.58.147
	EyOVPbKPk5.exe	Get hash	malicious	Browse	185.222.57.171
	F14 PO pdf.jar	Get hash	malicious	Browse	185.222.58.147
	AS90800009000000.exe	Get hash	malicious	Browse	185.222.57.171
	FATOUOO000.exe	Get hash	malicious	Browse	185.222.58.152
	Statement of Account April-2021.exe	Get hash	malicious	Browse	45.137.22.107
	90800000900.exe	Get hash	malicious	Browse	45.137.22.107
	fixxing.exe	Get hash	malicious	Browse	45.137.22.50
	note-mxm.exe	Get hash	malicious	Browse	45.137.22.50
	purchase order confirmation.exe	Get hash	malicious	Browse	45.137.22.50
	purchase order acknowledgement.exe	Get hash	malicious	Browse	45.137.22.50
	TBBurmah Trading Co., Ltd - products inquiry .exe	Get hash	malicious	Browse	45.137.22.50
	FRIEGHT PAYMENT 41,634.20 USD..exe	Get hash	malicious	Browse	45.137.22.107
	Due Invoices.exe	Get hash	malicious	Browse	45.137.22.107
	PURCHASE ORDER - #0022223 DATED 29042021.exe	Get hash	malicious	Browse	45.137.22.50
	PURCHASE ORDER - #0022223, date29042021.exe	Get hash	malicious	Browse	45.137.22.50
	B_N SAO SWIFT MT103.exe	Get hash	malicious	Browse	45.137.22.50
	PO0900009.exe	Get hash	malicious	Browse	185.222.58.152
	PURCHASE ORDER - #0022223 DATED 28042021.exe	Get hash	malicious	Browse	45.137.22.50
	Order ConfirmationSANQAW12NC9W03.exe	Get hash	malicious	Browse	185.222.57.152

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	RFQEMFA.Elektrik.exe	Get hash	malicious	Browse
	cotizaci#U00f3n.PDF.exe	Get hash	malicious	Browse
	MT103 Slip.exe	Get hash	malicious	Browse
	Bank details.exe	Get hash	malicious	Browse
	Shandong CIRS Form.exe	Get hash	malicious	Browse
	Placement approval.exe	Get hash	malicious	Browse
	filespdf.exe	Get hash	malicious	Browse
	goood.exe	Get hash	malicious	Browse
	Orden n.#U00ba STL21119, pdf.exe	Get hash	malicious	Browse
	Orden n.#U00ba 21115, pdf.exe	Get hash	malicious	Browse
	PO-WJO-001, pdf.exe	Get hash	malicious	Browse
	DFR2154747.vbe	Get hash	malicious	Browse
	SOA Dec2020.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Mikey.117100.12986.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Get hash	malicious	Browse
	Purchase Order PDF pdf.exe	Get hash	malicious	Browse
	Orden CW62125Q, pdf.exe	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.20894581699571
Encrypted:	false
SSDEEP:	768:NElGiBcBuiyFjUwF0wdP9/rJMDnRFRJfStGpwV3e3qtAcy:ilGBu7jjP9/tMDn9Jt+VO3GO
MD5:	88BBB7610152B48C2B3879473B17857E
SHA1:	0F6CF8DD66AA58CE31DA4E8AC0631600EF055636
SHA-256:	2C7ACC16D19D076D67E9F1F37984935899B79536C9AC6EEC8850C44D20F87616
SHA-512:	5BACDF6C190A76C2C6A9A3519936E08E898AC8A2B1384D60429DF850BE778860435BF9E5EB316517D2345A5AAE201F369863F7A242134253978BCB5B2179CA58
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: RFQEMFA.Elektrik.exe, Detection: malicious, Browse Filename: cotizaci#U00f3n.PDF.exe, Detection: malicious, Browse Filename: MT103 Slip.exe, Detection: malicious, Browse Filename: Bank details.exe, Detection: malicious, Browse Filename: Shandong CIRS Form.exe, Detection: malicious, Browse Filename: Placement approval.exe, Detection: malicious, Browse Filename: filespdf.exe, Detection: malicious, Browse Filename: goood.exe, Detection: malicious, Browse Filename: Orden n.#U00ba STL21119, pdf.exe, Detection: malicious, Browse Filename: Orden n.#U00ba 21115, pdf.exe, Detection: malicious, Browse Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse Filename: DFR2154747.vbe, Detection: malicious, Browse Filename: SOA Dec2020.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Mikey.117100.12986.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, Detection: malicious, Browse Filename: Purchase Order PDF pdf.exe, Detection: malicious, Browse Filename: Orden CW62125Q, pdf.exe, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.....................@........... ........@.. .......................@......99....@.....................................S.......`/................... ....................................................... ............... ..H............text....... ...................... ..`.rsrc...`/.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	5.334380084018418
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
MD5:	65CE98936A67552310EFE2F0FF5BDF88
SHA1:	8133653A6B9A169C7496ADE315CED322CFC3613A
SHA-256:	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
SHA-512:	2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	441
Entropy (8bit):	5.388715099859351
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U2+gYhD5itZbgbe4MqJsGMe4M6:MLF20NaL32+g2OH4xvn4j
MD5:	88F0104DB9A3F9BC4F0FC3805F571B0D
SHA1:	CDD4F34385792F0CCE0A844F4ABB447C25AB4E73
SHA-256:	F6C11D3D078ED73F2640DA510E68DEEAA5F14F79CAE2E23A254B4E37C7D0230F
SHA-512:	04B977F63CAB8DE20EA7EFA9D4299C2E625D92FA6D54CA03EECD9F322E978326B353824F23BEC0E712083BDE0DBC5CC4EE90922137106B096050CA46A166DF0E
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\5p0l53h9iyxojbq47 Download File
Process:	C:\Users\user\Desktop\SYT09009.exe
File Type:	data
Category:	dropped
Size (bytes):	13829
Entropy (8bit):	7.988330917782456
Encrypted:	false
SSDEEP:	384:1GhUkGyqVQozym1urnHgmHpgRWkHmUmUiYPsAUTmx6b1Eu:1fVNyw4HVHp8WE/sAUTmx65Eu
MD5:	8552DD44F179CF07D797311847F7C2FE
SHA1:	C6F98C25CA2FF7B2274AFDC4C15962A01A6DABAD
SHA-256:	FE33D4505AB83ED038680604357D38D0AF928054D3C9FB1A17BB639A5007367A
SHA-512:	427B6D1276F1C73138283C533C06C708A17B7D96FC0F3DD67E28B1CF2F4647FA61266C58DA5D014F28049891688318C3CE81927CB77BD19CFD8F5627AFEC77FF
Malicious:	false
Preview:	^..kx.!_.6..{.v.7I:.T.........d...0D}...j.c...W......\|L.....F..5.eV.O'T&u..4.........J..V[`b...[!(................=......................-2......$.O.+.u.}~..&.:Y#F...p_(+..A:dA.M...".,..........^A.[n.;.'.3....<ub.v...F'.[.g.\MN(.V.jI.v{..u.O.{..qjt..~}.2/<n.s,/.......q.....h...7.. pi...U........l.W......YZ9&KP.....8aZ.Zm..fB?L~....?l4....~.............P.....B%..>......;..d....?6.... "Q`...QJ.~.^]V...N.....\|D56@...1.....X.0....rL.r5.E....6...$w4..8.fyz.....R.0.hk(..z$.:.NM.b_l^..._L.ef.....a...xj..g`sp...\|..E6....t...........I..:.......X.8H14...>=.....D....\dUV.mN...R.$.......\|..g..[..e..~.......I0..(......:.....#.....T! ..b....>.JG.+A.U\`...]P.b'.R76;..}..0.....c.&..roG.y`mD8...%....zj_...'yz.....R;0.h.t.65.A.E...Q"..M..7..f..t...-......n.6y..v...m.7.c<3....}.I..r.5......p]..-T%Uf....vO.c..U.!..a`Y....N.#...>....l.......^.....=.......B#.......o9 ..D.$..6.....~S..E..X(...ij.f....:7<.M... .,....u.%....f..K.n.......%e},...9-._

C:\Users\user\AppData\Local\Temp\al46nknojj Download File
Process:	C:\Users\user\Desktop\SYT09009.exe
File Type:	data
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.9992611810929555
Encrypted:	true
SSDEEP:	6144:WfOwF9z+53e7/1yzxQ63W9CgE4iB1fMMtD8Dq:QOMhEzWskiznkq
MD5:	C48006F5FF0B9B55937304AF196BCD29
SHA1:	4D1EA741919EACB5D19703006A93A5BB212AF905
SHA-256:	0A95E106ACB942AD49D9C4418BF3E0CCBC59CD27517BF35B7BC64AC3FE39240B
SHA-512:	C6DC55FD1F47BEAFC5E8355CF80AD5BF2FFB4810D33AA2212B9FF430787AD4D38E3A098D183616D253196692EA33D7ABCADEA47A5F85770C444669D0BC847C0D
Malicious:	false
Preview:	]..0)....b.n.e;....7......g....,.Ox.A.G.a.P.!\ye..d/.h.$..o..2.q"[..q....>.....am.....;.=..._.6......#..#z.d.E....d.p.....SRa1].."..FT.......\...9}....l..#....cx,...t_.......<`xL.....5..t.D.4Q.......T..~..KY)~p7.Gbu#.};!.p..Z+LB../...y.=.......)+..P..R.H.1X;........M.C..k.8....hr...x...)....H.bz._{..y...9.J....3-T. .L.Q.ca....B....~..'..... ..s.nc.!...Wn.7...8.......KZP..?.R..(..g.9y..jB.r0"...&pS...]..2Xr ..\|......4.N[?.o,u)..]....m.>..S.........>...<.}..P..i..k........uI.....Y...zV.....k../.G.i..G[z6........h...5H.[.-..x..:.a.N.R5J.z.....&..M......l..m..........:......p........./E4m....Q......1....UO.'.....`....\|Bh<.5.W..<.ehc.....Z...t......n0q..C.v.8...,....&......c_..Y...gh].$.0....c.nf....<...{.C.]...VL.wA..W....5Qv....P.h!m.!..9JnreY)8....0.;...1A.L.4.{.L......5.m.+q!..t[...m..k.#.'..Q...."/......."...1fkp.T....W....h.[b........+...F..@$...0.......BT.T.......U.+.C..?....g.V^..R...ydq.....X6)z....a.jR..2........M.yR...J.J..

C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll Download File
Process:	C:\Users\user\Desktop\SYT09009.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.666261408441134
Encrypted:	false
SSDEEP:	48:q/i+k4fpTvQuPihxea/we6e+pI7Wfr8o4PjhNElXb:Eke9s/96e+prr8o2hAX
MD5:	ACB4B0447D4A7F16E56D26161C75BC84
SHA1:	5B2C4AE36591FA30777EE0621433DDC653BCB77C
SHA-256:	4A872908678E042C3112E6B0C0386C0718B33A452719CFEEB4E4ACCE7172C91E
SHA-512:	3C9C04D066D6E3FBE1860097EC2243AB07955D485C1A020FEF26C0A2566F64B698CB601571DEDCFED64A1201DBCD0D05480CD0E77A3A21F06673660D5B61D59C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................PE..L......`...........!......................... ...............................@....................................... ..L....!....................................... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data...&....0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA63C.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.136963558289723
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnc2xtn:cbk4oL600QydbQxIYODOLedq3ZLj
MD5:	AE766004C0D8792953BAFFFE8F6A2E3B
SHA1:	14B12F27543A401E2FE0AF8052E116CAB0032426
SHA-256:	1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
SHA-512:	E530DA4A5D4336FC37838D0E93B5EB3804B9C489C71F6954A47FC81A4C655BB72EC493E109CF96E6E3617D7623AC80697AD3BBD5FFC6281BAFC8B34DCA5E6567
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhL
MD5:	74AACAE24C76D8BE7578A460BAE23521
SHA1:	523B694F22C1E962B7234BE9637DA09060CFB0C1
SHA-256:	2EFF42A56A82D1EB8E689FE73F5471B111FA17F1ECF72B90A731B59AFF691BFB
SHA-512:	5D715F8D14841552E280A9A5A5F749B23EEEBE713F7E95B288D921982800F2AB1FAAFDA67E420F28D882BF5904799E6BE62D4CAE451507FFB5EC3631B5D11FF6
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:b8:A
MD5:	D3220FBA2B0402A56F35209195959E3D
SHA1:	73A56FD2C595162AB8E9F61DEE5E062868F78A0A
SHA-256:	0971519E13E7EA981167C65746F6FA48B21F3E5091A79121E98D3A6995FD633B
SHA-512:	B4C2F2E5EB4EA7E9441ADBC90A37BF4260A5B249E70B8FC1C0020DF739F46F19EAD7615C1756F2E1BDEA4BBFEC0EBD90696657EB3CE3628B674C895ED7B0C473
Malicious:	true
Preview:	...^...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.221928094887364
Encrypted:	false
SSDEEP:	3:9bzY6oRDMjmPl:RzWDMCd
MD5:	AE0F5E6CE7122AF264EC533C6B15A27B
SHA1:	1265A495C42EED76CC043D50C60C23297E76CCE1
SHA-256:	73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
SHA-512:	DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
Malicious:	false
Preview:	9iH...}Z.4..f..... 8.j....\|.&X..e.F.*.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	426832
Entropy (8bit):	7.999527918131335
Encrypted:	true
SSDEEP:	6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
MD5:	653DDDCB6C89F6EC51F3DDC0053C5914
SHA1:	4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
SHA-256:	83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
SHA-512:	27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.85263908467479
Encrypted:	false
SSDEEP:	3:oMty8WbSI1u:oMLWuI1u
MD5:	A35128E4E28B27328F70E4E8FF482443
SHA1:	B89066B2F8DB34299AABFD7ABEE402D5444DD079
SHA-256:	88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
SHA-512:	F098E844B5373B34642B49B6E0F2E15CFDAA1A8B6CABC2196CEC0F3765289E5B1FD4AB588DD65F97C8E51FA9A81077621E9A06946859F296904C646906A70F33
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	306
Entropy (8bit):	4.969261552825097
Encrypted:	false
SSDEEP:	6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFdCsq2UTiMdH8stCal+n:zK1XnV30ZsGMIG9BFRbQdCT2UftCM+
MD5:	F227448515085A647910907084E6728E
SHA1:	5FA1A8E28B084DA25A1BBC51A2D75810CEF57E2C
SHA-256:	662BA47D628FE8EBE95DD47B4482110A10B49AED09387BC0E028BB66E68E20BD
SHA-512:	6F6E5DFFF7B17C304FB19B0BA5466AF84EF98A5C2EFA573AF72CFD3ED6964E9FD7F8E4B79FCFFBEF87CE545418C69D4984F4DD60BBF457D0A3640950F8FC5AF0
Malicious:	false
Preview:	Microsoft (R) Build Engine Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.7295913886343195
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SYT09009.exe
File size:	555010
MD5:	fbfddfc110fd9d3775674447316de3d8
SHA1:	250149eebd54c774175cef2a09344cf429ca6f57
SHA256:	b98a4c0f84e431cbff5477f1e1ddfe1a93ba56775148cfca7f061f9beca0e48f
SHA512:	ffa4360b559cda6b7c1d5ec9cb0f89446be9f693a34c4bb35e6b8d4c26778d95e7139634cf6ba1896dc254c9bcc55fb171252c365ae678e59c8338a09261f842
SSDEEP:	6144:49X0GPoprRVuufOwF9z+53e7/1yzxQ63W9CgE4iB1fMMtD8Dbc:O0LrP/OMhEzWskiznkA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...\|......H3............@

File Icon


Icon Hash:	ae8cae8eb6aabe00

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F8840A0D453h
push ebx
call 00007F8840A105B6h
cmp eax, ebx
je 00007F8840A0D449h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F8840A10532h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F8840A0D42Dh
push 0000000Bh
call 00007F8840A1058Ah
push 00000009h
call 00007F8840A10583h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F8840A10577h
cmp eax, ebx
je 00007F8840A0D451h
push 0000001Eh
call eax
test eax, eax
je 00007F8840A0D449h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x48ba8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x48ba8	0x48c00	False	0.0640470629296	data	4.76688901353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38340	0x42028	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7a368	0x25a8	data	English	United States
RT_ICON	0x7c910	0x10a8	data	English	United States
RT_ICON	0x7d9b8	0xea8	data	English	United States
RT_ICON	0x7e860	0x8a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7f108	0x668	data	English	United States
RT_ICON	0x7f770	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x7fcd8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x80140	0x2e8	data	English	United States
RT_ICON	0x80428	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x80550	0x100	data	English	United States
RT_DIALOG	0x80650	0x11c	data	English	United States
RT_DIALOG	0x80770	0x60	data	English	United States
RT_GROUP_ICON	0x807d0	0x92	data	English	United States
RT_MANIFEST	0x80868	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/11/21-19:41:00.217795	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49718	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:07.017276	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49722	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:13.074122	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:17.376493	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:23.416228	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:30.481428	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:36.494819	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49732	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:42.950341	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49733	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:49.728010	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:56.010318	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:02.700606	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:08.910577	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:14.788279	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49752	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:20.775288	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49755	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:26.659939	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:32.535583	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49759	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:38.910159	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49760	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:44.786453	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:50.753969	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:57.151446	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49763	4445	192.168.2.5	185.222.57.171

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 19:40:39.981837988 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:39.982028008 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525325060 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525486946 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525574923 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525631905 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525676966 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525705099 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525723934 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525751114 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525768995 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525800943 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.572941065 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.572962999 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573002100 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573136091 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573510885 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573528051 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573539019 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573551893 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573559046 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573565006 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573609114 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573632956 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573751926 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573787928 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573909998 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.573949099 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574012041 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574059010 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574120998 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574136972 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574183941 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.574248075 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574395895 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.751949072 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.752115965 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:46.702603102 CEST	49693	443	192.168.2.5	20.50.102.62
May 11, 2021 19:40:46.702687979 CEST	49696	80	192.168.2.5	93.184.220.29
May 11, 2021 19:40:46.702949047 CEST	49694	443	192.168.2.5	20.50.102.62
May 11, 2021 19:41:00.139692068 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.188246012 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.188344002 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.217794895 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.276120901 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.276194096 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.279598951 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.279716015 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.338560104 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.338622093 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.385493994 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.404017925 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.479083061 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.479147911 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.500022888 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500044107 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500060081 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500076056 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500087023 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500097036 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.500159025 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.548785925 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548820019 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548832893 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548844099 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548860073 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548873901 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548886061 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548902035 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548913956 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548979044 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.549019098 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595504999 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595524073 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595540047 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595560074 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595577002 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595592022 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595597029 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595607996 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595618963 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595624924 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595638037 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595640898 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595657110 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595659971 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595669031 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595695019 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.598835945 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598855972 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598870993 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598886967 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598897934 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598923922 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.598952055 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.602694035 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642422915 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642447948 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642465115 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642484903 CEST	4445	49718	185.222.57.171	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 19:40:41.097431898 CEST	61733	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:41.148153067 CEST	53	61733	8.8.8.8	192.168.2.5
May 11, 2021 19:40:41.909591913 CEST	65447	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:41.959249020 CEST	53	65447	8.8.8.8	192.168.2.5
May 11, 2021 19:40:42.046721935 CEST	52441	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:42.105967999 CEST	53	52441	8.8.8.8	192.168.2.5
May 11, 2021 19:40:42.728183985 CEST	62176	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:42.785489082 CEST	53	62176	8.8.8.8	192.168.2.5
May 11, 2021 19:40:43.706080914 CEST	59596	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:43.754923105 CEST	53	59596	8.8.8.8	192.168.2.5
May 11, 2021 19:40:44.184880018 CEST	65296	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:44.247273922 CEST	53	65296	8.8.8.8	192.168.2.5
May 11, 2021 19:40:44.533559084 CEST	63183	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:44.582956076 CEST	53	63183	8.8.8.8	192.168.2.5
May 11, 2021 19:40:46.383810997 CEST	60151	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:46.436259031 CEST	53	60151	8.8.8.8	192.168.2.5
May 11, 2021 19:40:47.325426102 CEST	56969	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:47.384027958 CEST	53	56969	8.8.8.8	192.168.2.5
May 11, 2021 19:40:48.260334969 CEST	55161	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:48.311880112 CEST	53	55161	8.8.8.8	192.168.2.5
May 11, 2021 19:40:49.094321012 CEST	54757	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:49.144437075 CEST	53	54757	8.8.8.8	192.168.2.5
May 11, 2021 19:40:52.681729078 CEST	49992	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:52.733273029 CEST	53	49992	8.8.8.8	192.168.2.5
May 11, 2021 19:41:05.331192970 CEST	60075	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:05.394089937 CEST	53	60075	8.8.8.8	192.168.2.5
May 11, 2021 19:41:17.269723892 CEST	55016	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:17.326965094 CEST	53	55016	8.8.8.8	192.168.2.5
May 11, 2021 19:41:30.598397017 CEST	64345	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:30.652195930 CEST	53	64345	8.8.8.8	192.168.2.5
May 11, 2021 19:41:35.789753914 CEST	57128	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:35.848423958 CEST	53	57128	8.8.8.8	192.168.2.5
May 11, 2021 19:41:36.148536921 CEST	54791	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:36.205853939 CEST	53	54791	8.8.8.8	192.168.2.5
May 11, 2021 19:41:47.910130024 CEST	50463	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:47.980202913 CEST	53	50463	8.8.8.8	192.168.2.5
May 11, 2021 19:41:49.166731119 CEST	50394	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:49.225449085 CEST	53	50394	8.8.8.8	192.168.2.5
May 11, 2021 19:42:08.874237061 CEST	58530	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:08.995861053 CEST	53	58530	8.8.8.8	192.168.2.5
May 11, 2021 19:42:09.546247005 CEST	53813	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:09.662774086 CEST	53	53813	8.8.8.8	192.168.2.5
May 11, 2021 19:42:10.244744062 CEST	63732	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:10.305036068 CEST	53	63732	8.8.8.8	192.168.2.5
May 11, 2021 19:42:10.795542955 CEST	57344	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:10.853147984 CEST	53	57344	8.8.8.8	192.168.2.5
May 11, 2021 19:42:11.439920902 CEST	54450	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:11.499397993 CEST	53	54450	8.8.8.8	192.168.2.5
May 11, 2021 19:42:12.111586094 CEST	59261	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:12.168761969 CEST	53	59261	8.8.8.8	192.168.2.5
May 11, 2021 19:42:12.610980988 CEST	57151	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:12.668272018 CEST	53	57151	8.8.8.8	192.168.2.5
May 11, 2021 19:42:13.481811047 CEST	59413	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:13.539010048 CEST	53	59413	8.8.8.8	192.168.2.5
May 11, 2021 19:42:14.948851109 CEST	60516	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:15.012072086 CEST	53	60516	8.8.8.8	192.168.2.5
May 11, 2021 19:42:15.515224934 CEST	51649	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:15.566854954 CEST	53	51649	8.8.8.8	192.168.2.5
May 11, 2021 19:42:27.988873005 CEST	65086	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:28.056380987 CEST	53	65086	8.8.8.8	192.168.2.5
May 11, 2021 19:42:29.749424934 CEST	56432	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:29.812186003 CEST	53	56432	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SYT09009.exe PID: 4956 Parent PID: 5720

General

Start time:	19:40:51
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\SYT09009.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SYT09009.exe'
Imagebase:	0x400000
File size:	555010 bytes
MD5 hash:	FBFDDFC110FD9D3775674447316DE3D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: MSBuild.exe PID: 3332 Parent PID: 4956

General

Start time:	19:40:52
Start date:	11/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SYT09009.exe'
Imagebase:	0x4e0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Analysis Process: schtasks.exe PID: 4320 Parent PID: 3332

General

Start time:	19:40:57
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'
Imagebase:	0xbb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5416 Parent PID: 4320

General

Start time:	19:40:57
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 5840 Parent PID: 3332

General

Start time:	19:40:58
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp'
Imagebase:	0xbb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MSBuild.exe PID: 5868 Parent PID: 904

General

Start time:	19:40:58
Start date:	11/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Imagebase:	0xbd0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: conhost.exe PID: 5880 Parent PID: 5840

General

Start time:	19:40:58
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5872 Parent PID: 5868

General

Start time:	19:40:58
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exe PID: 4440 Parent PID: 904

General

Start time:	19:41:00
Start date:	11/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x740000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: conhost.exe PID: 4684 Parent PID: 4440

General

Start time:	19:41:01
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exe PID: 6140 Parent PID: 3472

General

Start time:	19:41:05
Start date:	11/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x840000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: conhost.exe PID: 5876 Parent PID: 6140

General

Start time:	19:41:06
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SYT09009.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre