Windows Analysis Report Updated Order COA.doc

Overview

General Information

Sample Name: Updated Order COA.doc
Analysis ID: 435312
MD5: 59f9c2a162cf48fe5819f58b697c107c
SHA1: f8702f19bae3a9f2dd1fca58f6eae3d6e62d4878
SHA256: 23a865d4a1205be496c45012233d96255c90102e3925dab252d30d9a70f82ba9
Tags: doc
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Process Start Without DLL
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Connects to a URL shortener service
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "18773cd6-e296-4327-b004-0088e2e8", "Group": "WEALTH", "Domain1": "185.140.53.154", "Domain2": "wealthybillionaire.ddns.net", "Port": 5540, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt ReversingLabs: Detection: 22%
Source: C:\Users\Public\098765.exe ReversingLabs: Detection: 22%
Multi AV Scanner detection for submitted file
Source: Updated Order COA.doc ReversingLabs: Detection: 17%
Yara detected Nanocore RAT
Source: Yara match File source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
Source: Yara match File source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt Joe Sandbox ML: detected
Source: C:\Users\Public\098765.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.RegAsm.exe.920000.6.unpack Avira: Label: TR/NanoCore.fadte
Source: 5.2.RegAsm.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\098765.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\098765.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.221.105.125:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.4.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\098765.exe Code function: 4x nop then jmp 002D8BA8h 4_2_002D8320
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bit.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:443

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.140.53.154
Source: Malware configuration extractor URLs: wealthybillionaire.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: wealthybillionaire.ddns.net
Connects to a URL shortener service
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE DNS query: name: bit.ly
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE DNS query: name: bit.ly
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 185.140.53.154:5540
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 82.221.105.125 82.221.105.125
Source: Joe Sandbox View IP Address: 185.140.53.154 185.140.53.154
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{248C44A0-30CA-4646-ACFF-79FC9E14ADCB}.tmp Jump to behavior
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: bit.ly
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 098765.exe, 00000004.00000002.2125459036.0000000005DFF000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe String found in binary or memory: http://go.microsoft.
Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmp String found in binary or memory: http://n.f
Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmp, 098765.exe, 00000004.00000003.2117350374.0000000004B43000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/s
Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobede
Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmp String found in binary or memory: http://ns.ao
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: 098765.exe, 00000004.00000002.2125459036.0000000005DFF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: 098765.exe, 00000004.00000002.2118233396.0000000002320000.00000004.00000001.sdmp, 098765.exe, 00000004.00000002.2118217008.0000000002307000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: 098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: 2TE7JJq[1].htm.2.dr String found in binary or memory: https://offlineclubz.com/PC.txt
Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.221.105.125:443 -> 192.168.2.22:49168 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
Source: Yara match File source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE
Drops certificate files (DER)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
.NET source code contains very large array initializations
Source: 098765.exe.2.dr, Qb7p/Kg37.cs Large array initialization: .cctor: array initializer size 2653
Source: 098765.exe.2.dr, e1L/Bs2.cs Large array initialization: .cctor: array initializer size 2943
Source: 4.0.098765.exe.e30000.0.unpack, Qb7p/Kg37.cs Large array initialization: .cctor: array initializer size 2653
Source: 4.0.098765.exe.e30000.0.unpack, e1L/Bs2.cs Large array initialization: .cctor: array initializer size 2943
Source: 4.2.098765.exe.e30000.3.unpack, e1L/Bs2.cs Large array initialization: .cctor: array initializer size 2943
Source: 4.2.098765.exe.e30000.3.unpack, Qb7p/Kg37.cs Large array initialization: .cctor: array initializer size 2653
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\098765.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\098765.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\098765.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to launch a process as a different user
Source: C:\Users\Public\098765.exe Code function: 4_2_00A72D80 CreateProcessAsUserW, 4_2_00A72D80
Detected potential crypto function
Source: C:\Users\Public\098765.exe Code function: 4_2_002D8320 4_2_002D8320
Source: C:\Users\Public\098765.exe Code function: 4_2_002D6A58 4_2_002D6A58
Source: C:\Users\Public\098765.exe Code function: 4_2_002D3E91 4_2_002D3E91
Source: C:\Users\Public\098765.exe Code function: 4_2_002D2FD8 4_2_002D2FD8
Source: C:\Users\Public\098765.exe Code function: 4_2_002DA239 4_2_002DA239
Source: C:\Users\Public\098765.exe Code function: 4_2_002DA240 4_2_002DA240
Source: C:\Users\Public\098765.exe Code function: 4_2_002D2550 4_2_002D2550
Source: C:\Users\Public\098765.exe Code function: 4_2_002DF680 4_2_002DF680
Source: C:\Users\Public\098765.exe Code function: 4_2_002D6A49 4_2_002D6A49
Source: C:\Users\Public\098765.exe Code function: 4_2_002D8BC1 4_2_002D8BC1
Source: C:\Users\Public\098765.exe Code function: 4_2_002D8BD0 4_2_002D8BD0
Source: C:\Users\Public\098765.exe Code function: 4_2_002D3F81 4_2_002D3F81
Source: C:\Users\Public\098765.exe Code function: 4_2_00A72490 4_2_00A72490
Source: C:\Users\Public\098765.exe Code function: 4_2_00A790E8 4_2_00A790E8
Source: C:\Users\Public\098765.exe Code function: 4_2_00A73C59 4_2_00A73C59
Source: C:\Users\Public\098765.exe Code function: 4_2_00A7B988 4_2_00A7B988
Source: C:\Users\Public\098765.exe Code function: 4_2_00A73161 4_2_00A73161
Source: C:\Users\Public\098765.exe Code function: 4_2_00A77171 4_2_00A77171
Source: C:\Users\Public\098765.exe Code function: 4_2_00A76A40 4_2_00A76A40
Source: C:\Users\Public\098765.exe Code function: 4_2_00A74F80 4_2_00A74F80
Source: C:\Users\Public\098765.exe Code function: 4_2_00A78860 4_2_00A78860
Source: C:\Users\Public\098765.exe Code function: 4_2_00A78870 4_2_00A78870
Source: C:\Users\Public\098765.exe Code function: 4_2_00A7A840 4_2_00A7A840
Source: C:\Users\Public\098765.exe Code function: 4_2_00A709B8 4_2_00A709B8
Source: C:\Users\Public\098765.exe Code function: 4_2_00A709C8 4_2_00A709C8
Source: C:\Users\Public\098765.exe Code function: 4_2_00A79B80 4_2_00A79B80
Source: C:\Users\Public\098765.exe Code function: 4_2_00A783E8 4_2_00A783E8
Source: C:\Users\Public\098765.exe Code function: 4_2_00A783F8 4_2_00A783F8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_001F3DFE 5_2_001F3DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_005FB198 5_2_005FB198
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_005F43A0 5_2_005F43A0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_005FDD38 5_2_005FDD38
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_005FBDB0 5_2_005FBDB0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_005F3788 5_2_005F3788
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_005F4458 5_2_005F4458
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_005FBE6E 5_2_005FBE6E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 9_2_001F3DFE 9_2_001F3DFE
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe 5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
Yara signature match
Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@11/22@9/3
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$dated Order COA.doc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{18773cd6-e296-4327-b004-0088e2e894f7}
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC013.tmp Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ........................................(.P.....`.......<.......$............................................................................... Jump to behavior
Source: C:\Users\Public\098765.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\098765.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\098765.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Updated Order COA.doc ReversingLabs: Detection: 17%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\098765.exe C:\Users\Public\098765.exe
Source: C:\Users\Public\098765.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {6204476F-CB6D-41BF-A018-07A92169AAA2} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\098765.exe C:\Users\Public\098765.exe Jump to behavior
Source: C:\Users\Public\098765.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\098765.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: Updated Order COA.doc Static file information: File size 2676268 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.4.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\098765.exe Code function: 4_2_00E343EE push ebx; retf 4_2_00E3440B
Source: C:\Users\Public\098765.exe Code function: 4_2_00E32FA7 push ds; retf 4_2_00E331D1
Source: C:\Users\Public\098765.exe Code function: 4_2_00E34CB9 pushad ; retf 4_2_00E34CC0
Source: C:\Users\Public\098765.exe Code function: 4_2_00E330BD push ds; retf 4_2_00E331D1
Source: C:\Users\Public\098765.exe Code function: 4_2_00E3433D push ebx; retf 4_2_00E3440B
Source: C:\Users\Public\098765.exe Code function: 4_2_00A71ED0 push esp; retf 4_2_00A71EE9
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_001F523F push cs; iretd 5_2_001F5240
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_02071B10 push 00000000h; retn 0004h 5_2_02071B20
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 5_2_02070172 push 00000000h; ret 5_2_02070180
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 9_2_001F523F push cs; iretd 9_2_001F5240
Source: 098765.exe.2.dr, Wk7s/Xb3o.cs High entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
Source: 4.0.098765.exe.e30000.0.unpack, Wk7s/Xb3o.cs High entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
Source: 4.2.098765.exe.e30000.3.unpack, Wk7s/Xb3o.cs High entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\Public\098765.exe File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\098765.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\098765.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\098765.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\Public\098765.exe File opened: C:\Users\Public\098765.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Local\Temp\RegAsm.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\098765.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\098765.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\098765.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\098765.exe Window / User API: threadDelayed 588 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Window / User API: threadDelayed 8756 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Window / User API: threadDelayed 949 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Window / User API: foregroundWindowGot 445 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2488 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2488 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\098765.exe TID: 2420 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\098765.exe TID: 2976 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\Public\098765.exe TID: 2904 Thread sleep count: 588 > 30 Jump to behavior
Source: C:\Users\Public\098765.exe TID: 2696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2348 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2556 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2608 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2988 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\098765.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\098765.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\098765.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\098765.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\098765.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\Public\098765.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\098765.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\Public\098765.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\Public\098765.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\Public\098765.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000 Jump to behavior
Source: C:\Users\Public\098765.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000 Jump to behavior
Source: C:\Users\Public\098765.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\098765.exe C:\Users\Public\098765.exe Jump to behavior
Source: C:\Users\Public\098765.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 Jump to behavior
Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmp Binary or memory string: Program Manager48
Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000005.00000002.2356755341.0000000000C60000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000002.2356755341.0000000000C60000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: RegAsm.exe, 00000005.00000002.2359036005.0000000002B68000.00000004.00000001.sdmp Binary or memory string: Program Managerx
Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmp Binary or memory string: Program Manager@

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\098765.exe Queries volume information: C:\Users\Public\098765.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\098765.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\098765.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Users\Public\098765.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
Source: Yara match File source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: 098765.exe, 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
Source: Yara match File source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435312 Sample: Updated Order COA.doc Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 16 other signatures 2->52 8 EQNEDT32.EXE 17 2->8         started        13 taskeng.exe 1 2->13         started        15 WINWORD.EXE 291 24 2->15         started        process3 dnsIp4 42 offlineclubz.com 82.221.105.125, 443, 49168 THORDC-ASIS Iceland 8->42 44 bit.ly 67.199.248.10, 443, 49167 GOOGLE-PRIVATE-CLOUDUS United States 8->44 36 C:\Users\user\AppData\Local\...\PC[1].txt, PE32 8->36 dropped 38 C:\Users\Public\098765.exe, PE32 8->38 dropped 66 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->66 17 098765.exe 12 3 8->17         started        21 RegAsm.exe 13->21         started        file5 signatures6 process7 file8 30 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 17->30 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 Machine Learning detection for dropped file 17->56 58 Writes to foreign memory regions 17->58 60 3 other signatures 17->60 23 RegAsm.exe 6 17->23         started        signatures9 process10 dnsIp11 40 wealthybillionaire.ddns.net 185.140.53.154, 5540 DAVID_CRAIGGG Sweden 23->40 32 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 23->32 dropped 34 C:\Users\user\AppData\Local\...\tmp7790.tmp, XML 23->34 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 23->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->64 28 schtasks.exe 23->28         started        file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
82.221.105.125
 offlineclubz.com Iceland
50613 THORDC-ASIS false
185.140.53.154
 wealthybillionaire.ddns.net Sweden
209623 DAVID_CRAIGGG true
67.199.248.10
 bit.ly United States
396982 GOOGLE-PRIVATE-CLOUDUS false

Contacted Domains

Name IP Active
bit.ly 67.199.248.10 true
offlineclubz.com 82.221.105.125 true
wealthybillionaire.ddns.net 185.140.53.154 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
185.140.53.154 true
  • Avira URL Cloud: safe
 unknown
wealthybillionaire.ddns.net true
  • Avira URL Cloud: safe
 unknown