Analysis Report 01d32b29_by_Libranalysis

Overview

General Information

Sample Name: 01d32b29_by_Libranalysis (renamed file extension from none to exe)
Analysis ID: 412429
MD5: 01d32b29cf20b16e7dc745f01168bdd5
SHA1: 2603699a808a1ac0a2af21c6496acab3be0aa7c9
SHA256: e94c70d3dc3ab2496465e73bffc7c5f1bc3963f3ae309a88d5e16d5e54a540ce
Tags: NanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Users\user\Desktop\Service.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Found malware configuration
Source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f0ee6c15-7813-4f2f-a8f4-f86f2a48", "Group": "Default", "Domain1": "likedoingthis.ddns.net", "Domain2": "", "Port": 1337, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Virustotal: Detection: 79% Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 97%
Source: C:\Users\user\Desktop\Main.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\Service.exe ReversingLabs: Detection: 97%
Multi AV Scanner detection for submitted file
Source: 01d32b29_by_Libranalysis.exe Virustotal: Detection: 48% Perma Link
Source: 01d32b29_by_Libranalysis.exe ReversingLabs: Detection: 55%
Yara detected Nanocore RAT
Source: Yara match File source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Service.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY
Source: Yara match File source: C:\Users\user\Desktop\Service.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\Service.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 01d32b29_by_Libranalysis.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.0.dhcpmon.exe.c60000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.Service.exe.900000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.dhcpmon.exe.c60000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.Service.exe.900000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.Service.exe.5840000.9.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Uses 32bit PE files
Source: 01d32b29_by_Libranalysis.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\Service.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 01d32b29_by_Libranalysis.exe Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 01d32b29_by_Libranalysis.exe
Source: Binary string: C:\Windows\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
Source: Binary string: lib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: Service.exe, 00000002.00000002.604812875.00000000055A0000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131A717 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0131A717
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132BA20 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0132BA20
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0133AC28 FindFirstFileExA, 0_2_0133AC28
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.tmp Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\ Jump to behavior

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: likedoingthis.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: likedoingthis.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49708 -> 91.109.188.5:1337
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: IELOIELOMainNetworkFR IELOIELOMainNetworkFR
Source: unknown DNS traffic detected: queries for: likedoingthis.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Service.exe, 00000002.00000002.598615106.000000000102B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: Service.exe, 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Service.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY
Source: Yara match File source: C:\Users\user\Desktop\Service.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.604469931.0000000005310000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Service.exe PID: 6520, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Service.exe PID: 6520, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\Desktop\Service.exe, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\Desktop\Service.exe, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Service.exe.5310000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3443dc4.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Service.exe.3191770.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_02E0131A NtQuerySystemInformation, 2_2_02E0131A
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_02E012DF NtQuerySystemInformation, 2_2_02E012DF
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131710E: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_0131710E
Detected potential crypto function
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01326776 0_2_01326776
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01318631 0_2_01318631
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_013271EF 0_2_013271EF
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0133D1CE 0_2_0133D1CE
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_013310D8 0_2_013310D8
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131E3C0 0_2_0131E3C0
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01313206 0_2_01313206
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_013412D4 0_2_013412D4
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01330456 0_2_01330456
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131276D 0_2_0131276D
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131E9C0 0_2_0131E9C0
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0133487A 0_2_0133487A
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0133086E 0_2_0133086E
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_013238F1 0_2_013238F1
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01323B6C 0_2_01323B6C
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01326BAB 0_2_01326BAB
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01334AA9 0_2_01334AA9
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131FA88 0_2_0131FA88
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0133CD20 0_2_0133CD20
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01325DA7 0_2_01325DA7
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01330CA3 0_2_01330CA3
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131BF33 0_2_0131BF33
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132FF5A 0_2_0132FF5A
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131DF8C 0_2_0131DF8C
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01313FDE 0_2_01313FDE
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131EE34 0_2_0131EE34
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01315E9C 0_2_01315E9C
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01323E9D 0_2_01323E9D
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140013021 1_2_0000000140013021
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140013507 1_2_0000000140013507
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140010210 1_2_0000000140010210
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140015220 1_2_0000000140015220
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_000000014000EA48 1_2_000000014000EA48
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140014E80 1_2_0000000140014E80
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140014E90 1_2_0000000140014E90
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140012E97 1_2_0000000140012E97
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140015F30 1_2_0000000140015F30
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_000000014000B758 1_2_000000014000B758
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_0000000140013798 1_2_0000000140013798
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_0090524A 2_2_0090524A
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_00F12477 2_2_00F12477
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_00F27AC1 2_2_00F27AC1
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_00F27FA7 2_2_00F27FA7
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_01453850 2_2_01453850
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_0145B058 2_2_0145B058
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_01458788 2_2_01458788
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_014523A0 2_2_014523A0
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_01452FA8 2_2_01452FA8
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_0145944F 2_2_0145944F
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_0145306F 2_2_0145306F
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_01459C30 2_2_01459C30
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_01459388 2_2_01459388
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_0145969B 2_2_0145969B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 16_2_00C6524A 16_2_00C6524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 16_2_02F023A0 16_2_02F023A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 16_2_02F02FA8 16_2_02F02FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 16_2_02F03850 16_2_02F03850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 16_2_02F0306F 16_2_02F0306F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: String function: 0132EE60 appears 31 times
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: String function: 0132E3CC appears 35 times
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: String function: 0132E4A0 appears 53 times
PE file contains strange resources
Source: 01d32b29_by_Libranalysis.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 01d32b29_by_Libranalysis.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.335209581.0000000007AA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 01d32b29_by_Libranalysis.exe
Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.334483521.0000000007940000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 01d32b29_by_Libranalysis.exe
Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.335147370.0000000007A60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs 01d32b29_by_Libranalysis.exe
Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.335076587.0000000007A40000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 01d32b29_by_Libranalysis.exe
Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.335076587.0000000007A40000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 01d32b29_by_Libranalysis.exe
Source: 01d32b29_by_Libranalysis.exe, 00000000.00000002.333359295.0000000003AF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 01d32b29_by_Libranalysis.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Section loaded: dxgidebug.dll Jump to behavior
Uses 32bit PE files
Source: 01d32b29_by_Libranalysis.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe query 'HKU\S-1-5-19\Environment'
Yara signature match
Source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.604469931.0000000005310000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.604469931.0000000005310000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Service.exe PID: 6520, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Service.exe PID: 6520, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\Desktop\Service.exe, type: DROPPED Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Users\user\Desktop\Service.exe, type: DROPPED Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\Service.exe, type: DROPPED Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Service.exe.5310000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.5310000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3443dc4.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3443dc4.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Service.exe.3191770.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.3191770.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Service.exe.0.dr Static PE information: Section: .rsrc ZLIB complexity 0.999430803571
Source: dhcpmon.exe.2.dr Static PE information: Section: .rsrc ZLIB complexity 0.999430803571
Source: Service.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Service.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: Service.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Service.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Service.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.evad.winEXE@24/6@8/2
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01316E29 GetLastError,FormatMessageW, 0_2_01316E29
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_02E010DA AdjustTokenPrivileges, 2_2_02E010DA
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_02E010A3 AdjustTokenPrivileges, 2_2_02E010A3
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_01329F5C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_01329F5C
Source: C:\Users\user\Desktop\Service.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6740765 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_01
Source: C:\Users\user\Desktop\Service.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{f0ee6c15-7813-4f2f-a8f4-f86f2a48b89f}
Source: C:\Users\user\Desktop\Service.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6976:120:WilError_01
Source: C:\Users\user\Desktop\Main.exe File created: C:\Users\user\AppData\Local\Temp\DFA1.tmp Jump to behavior
Source: C:\Users\user\Desktop\Main.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe'
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Command line argument: sfxname 0_2_0132D711
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Command line argument: sfxstime 0_2_0132D711
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Command line argument: STARTDLG 0_2_0132D711
Source: 01d32b29_by_Libranalysis.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Service.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 01d32b29_by_Libranalysis.exe Virustotal: Detection: 48%
Source: 01d32b29_by_Libranalysis.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe File read: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe 'C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Process created: C:\Users\user\Desktop\Main.exe 'C:\Users\user\Desktop\Main.exe'
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Process created: C:\Users\user\Desktop\Service.exe 'C:\Users\user\Desktop\Service.exe'
Source: C:\Users\user\Desktop\Main.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe query 'HKU\S-1-5-19\Environment'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t REG_DWORD /d '1' /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t REG_DWORD /d '1' /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableScanOnRealtimeEnable' /t REG_DWORD /d '1' /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableRoutinelyTakingAction' /t REG_DWORD /d '1' /f
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Windows\System32\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Process created: C:\Users\user\Desktop\Main.exe 'C:\Users\user\Desktop\Main.exe' Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Process created: C:\Users\user\Desktop\Service.exe 'C:\Users\user\Desktop\Service.exe' Jump to behavior
Source: C:\Users\user\Desktop\Main.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe query 'HKU\S-1-5-19\Environment' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableScanOnRealtimeEnable' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableRoutinelyTakingAction' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Service.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Service.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 01d32b29_by_Libranalysis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 01d32b29_by_Libranalysis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 01d32b29_by_Libranalysis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 01d32b29_by_Libranalysis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 01d32b29_by_Libranalysis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 01d32b29_by_Libranalysis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 01d32b29_by_Libranalysis.exe Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: 01d32b29_by_Libranalysis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 01d32b29_by_Libranalysis.exe
Source: Binary string: C:\Windows\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
Source: Binary string: lib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Service.exe, 00000002.00000002.599360238.0000000002E36000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: Service.exe, 00000002.00000002.604812875.00000000055A0000.00000002.00000001.sdmp
Source: 01d32b29_by_Libranalysis.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 01d32b29_by_Libranalysis.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 01d32b29_by_Libranalysis.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 01d32b29_by_Libranalysis.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 01d32b29_by_Libranalysis.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Service.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Service.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary, 1_2_000000014000D9C4
File is packed with WinRar
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6740765 Jump to behavior
PE file contains sections with non-standard names
Source: 01d32b29_by_Libranalysis.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132E3CC push eax; ret 0_2_0132E3EA
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132EEA6 push ecx; ret 0_2_0132EEB9
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_000000014001BD2E push rbx; ret 1_2_000000014001BD2F
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_00F29D74 push eax; retf 2_2_00F29D75
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_00F2AA7B push cs; retf 2_2_00F2AA93
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_00F29D78 pushad ; retf 2_2_00F29D79
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_00F2A993 push cs; retf 2_2_00F2A9AB
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_00F2AA07 push cs; retf 2_2_00F2AA1F
Source: Service.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: Service.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: dhcpmon.exe.2.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.2.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.Service.exe.900000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.Service.exe.900000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 16.0.dhcpmon.exe.c60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 16.2.dhcpmon.exe.c60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe File created: C:\Users\user\Desktop\Service.exe Jump to dropped file
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe File created: C:\Users\user\Desktop\Main.exe Jump to dropped file
Source: C:\Users\user\Desktop\Service.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Service.exe File opened: C:\Users\user\Desktop\Service.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Main.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Main.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Main.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Main.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Service.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Main.exe Window / User API: threadDelayed 381 Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Window / User API: threadDelayed 365 Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Window / User API: threadDelayed 980 Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Window / User API: foregroundWindowGot 1011 Jump to behavior
Source: C:\Users\user\Desktop\Service.exe Window / User API: foregroundWindowGot 370 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Main.exe TID: 6496 Thread sleep count: 381 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Service.exe TID: 6644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Service.exe TID: 6640 Thread sleep time: -160000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7124 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131A717 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0131A717
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132BA20 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0132BA20
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0133AC28 FindFirstFileExA, 0_2_0133AC28
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132DEAF VirtualQuery,GetSystemInfo, 0_2_0132DEAF
Source: C:\Users\user\Desktop\Service.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.tmp Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\Main.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: Service.exe, 00000002.00000002.605384365.0000000006490000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.338466953.0000018009A10000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.340883590.0000020660A30000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.343402991.0000020F76930000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.349421127.000001B6331E0000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.350811973.000001F44CBA0000.00000002.00000001.sdmp, reg.exe, 0000000E.00000002.353812253.000001D25D9A0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Service.exe, 00000002.00000002.598779863.000000000109E000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: Service.exe, 00000002.00000002.605384365.0000000006490000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.338466953.0000018009A10000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.340883590.0000020660A30000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.343402991.0000020F76930000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.349421127.000001B6331E0000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.350811973.000001F44CBA0000.00000002.00000001.sdmp, reg.exe, 0000000E.00000002.353812253.000001D25D9A0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Service.exe, 00000002.00000002.605384365.0000000006490000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.338466953.0000018009A10000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.340883590.0000020660A30000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.343402991.0000020F76930000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.349421127.000001B6331E0000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.350811973.000001F44CBA0000.00000002.00000001.sdmp, reg.exe, 0000000E.00000002.353812253.000001D25D9A0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Service.exe, 00000002.00000002.598779863.000000000109E000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Service.exe, 00000002.00000002.605384365.0000000006490000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.338466953.0000018009A10000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.340883590.0000020660A30000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.343402991.0000020F76930000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.349421127.000001B6331E0000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.350811973.000001F44CBA0000.00000002.00000001.sdmp, reg.exe, 0000000E.00000002.353812253.000001D25D9A0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Service.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132F065 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0132F065
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Main.exe Code function: 1_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary, 1_2_000000014000D9C4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0133767E mov eax, dword ptr fs:[00000030h] 0_2_0133767E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0133B910 GetProcessHeap, 0_2_0133B910
Enables debug privileges
Source: C:\Users\user\Desktop\Service.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132F1B3 SetUnhandledExceptionFilter, 0_2_0132F1B3
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132F065 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0132F065
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132F38B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0132F38B
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_013387FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_013387FF
Source: C:\Users\user\Desktop\Service.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Process created: C:\Users\user\Desktop\Main.exe 'C:\Users\user\Desktop\Main.exe' Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Process created: C:\Users\user\Desktop\Service.exe 'C:\Users\user\Desktop\Service.exe' Jump to behavior
Source: C:\Users\user\Desktop\Main.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\DFA1.tmp\DFA2.tmp\DFA3.bat C:\Users\user\Desktop\Main.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe query 'HKU\S-1-5-19\Environment' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableScanOnRealtimeEnable' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableAntiSpyware' /t REG_DWORD /d '1' /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe Reg.exe add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'DisableRoutinelyTakingAction' /t REG_DWORD /d '1' /f Jump to behavior
Source: Service.exe, 00000002.00000002.598779863.000000000109E000.00000004.00000020.sdmp Binary or memory string: Program Manager
Source: Service.exe, 00000002.00000002.599106978.0000000001830000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Service.exe, 00000002.00000002.599106978.0000000001830000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Service.exe, 00000002.00000002.599106978.0000000001830000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: Service.exe, 00000002.00000002.599106978.0000000001830000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Service.exe, 00000002.00000002.598779863.000000000109E000.00000004.00000020.sdmp Binary or memory string: Program Manager`
Source: Service.exe, 00000002.00000002.601487158.0000000003210000.00000004.00000001.sdmp Binary or memory string: Program ManagerXt

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_013200B8 cpuid 0_2_013200B8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_0132A77C
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0132D711 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_0132D711
Source: C:\Users\user\Desktop\01d32b29_by_Libranalysis.exe Code function: 0_2_0131AE15 GetVersionExW, 0_2_0131AE15
Source: C:\Users\user\Desktop\Service.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Service.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY
Source: Yara match File source: C:\Users\user\Desktop\Service.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Service.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: Service.exe, 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe.2.dr String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 00000010.00000002.377390680.0000000004421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.332243003.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.604957919.0000000005840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.597461394.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.603266642.00000000041BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.377356574.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.376298581.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.357721819.0000000000C62000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Service.exe PID: 6520, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 7056, type: MEMORY
Source: Yara match File source: C:\Users\user\Desktop\Service.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: 2.2.Service.exe.41d2a15.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5844629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41ce3ec.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Service.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41ce3ec.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.4472a15.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5840000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.44695b6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.446e3ec.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.41c95b6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Service.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.446e3ec.5.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_02E025F2 bind, 2_2_02E025F2
Source: C:\Users\user\Desktop\Service.exe Code function: 2_2_02E025A0 bind, 2_2_02E025A0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412429 Sample: 01d32b29_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 10 other signatures 2->62 9 01d32b29_by_Libranalysis.exe 7 2->9         started        12 dhcpmon.exe 3 2->12         started        process3 file4 34 C:\Users\user\Desktop\Service.exe, PE32 9->34 dropped 36 C:\Users\user\Desktop\Main.exe, PE32+ 9->36 dropped 14 Service.exe 1 10 9->14         started        19 Main.exe 8 9->19         started        38 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 12->38 dropped process5 dnsIp6 44 likedoingthis.ddns.net 91.109.188.5, 1337 IELOIELOMainNetworkFR France 14->44 46 192.168.2.1 unknown unknown 14->46 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, International 14->42 dropped 48 Antivirus detection for dropped file 14->48 50 Multi AV Scanner detection for dropped file 14->50 52 Machine Learning detection for dropped file 14->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->54 21 cmd.exe 1 19->21         started        file7 signatures8 process9 signatures10 64 Uses cmd line tools excessively to alter registry or file data 21->64 24 reg.exe 1 21->24         started        26 conhost.exe 21->26         started        28 reg.exe 1 21->28         started        30 5 other processes 21->30 process11 process12 32 conhost.exe 24->32         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.109.188.5
 likedoingthis.ddns.net France
29075 IELOIELOMainNetworkFR true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
likedoingthis.ddns.net 91.109.188.5 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
likedoingthis.ddns.net true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown