Loading ...

Play interactive tourEdit tour

Windows Analysis Report Document.1-xml.eml.exe

Overview

General Information

Sample Name:Document.1-xml.eml.exe
Analysis ID:452441
MD5:4d48e3cbfc19b5729b6c7a968a957805
SHA1:4863e913b2e5709d9ed8c5937ae046e2edeee152
SHA256:45cf5d850ca6806fd9b55ef35a2ebe8aa2d9b724b67f96eac270c44d1a85e810
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Document.1-xml.eml.exe (PID: 6608 cmdline: 'C:\Users\user\Desktop\Document.1-xml.eml.exe' MD5: 4D48E3CBFC19B5729B6C7A968A957805)
    • Document.1-xml.eml.exe (PID: 5768 cmdline: 'C:\Users\user\Desktop\Document.1-xml.eml.exe' MD5: 4D48E3CBFC19B5729B6C7A968A957805)
      • schtasks.exe (PID: 5796 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5720 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DCA.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Document.1-xml.eml.exe (PID: 5540 cmdline: C:\Users\user\Desktop\Document.1-xml.eml.exe 0 MD5: 4D48E3CBFC19B5729B6C7A968A957805)
  • dhcpmon.exe (PID: 5556 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 4D48E3CBFC19B5729B6C7A968A957805)
  • dhcpmon.exe (PID: 5608 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 4D48E3CBFC19B5729B6C7A968A957805)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ec07ca6b-08b1-47be-b65b-f4ac1e81", "Group": "alozzzz", "Domain1": "194.5.98.136", "Domain2": "", "Port": 2888, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.Document.1-xml.eml.exe.5050000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      15.2.Document.1-xml.eml.exe.5050000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      0.2.Document.1-xml.eml.exe.5915a0.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.Document.1-xml.eml.exe.5915a0.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.Document.1-xml.eml.exe.5915a0.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 41 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Document.1-xml.eml.exe, ProcessId: 5768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Document.1-xml.eml.exe, ProcessId: 5768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Document.1-xml.eml.exe, ProcessId: 5768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Document.1-xml.eml.exe, ProcessId: 5768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ec07ca6b-08b1-47be-b65b-f4ac1e81", "Group": "alozzzz", "Domain1": "194.5.98.136", "Domain2": "", "Port": 2888, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 19%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Document.1-xml.eml.exeReversingLabs: Detection: 19%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORY
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpackAvira: Label: TR/NanoCore.fadte
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpackAvira: Label: TR/NanoCore.fadte

        Compliance:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeUnpacked PE file: 15.2.Document.1-xml.eml.exe.400000.0.unpack
        Source: Document.1-xml.eml.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
        Source: Binary string: \??\C:\Windows\dll\System.pdb| source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\System.pdbxx source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb0 source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\dll\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: System.pdb H source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: 1hoC:\Windows\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: p}}bsymbols\dll\System.pdb} source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: r`indows\System.pdbpdbtem.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\assembly\GA.pdbL\System\2.0.0.0__b77a5c561934e089\System.dll source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.920175519.0000000000824000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\symbols\dll\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925330662.0000000004FF0000.00000002.00000001.sdmp
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\KERNELBASE.dll
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\MSCOREE.DLL
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.1_none_8ef454a057103afa
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\KERNEL32.dll
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49759 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49760 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49765 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 194.5.98.136:2888
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 194.5.98.136
        Source: global trafficTCP traffic: 192.168.2.4:49759 -> 194.5.98.136:2888
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_04912E3E WSARecv,
        Source: dhcpmon.exe, 00000016.00000002.908498339.00000000006F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 15.2.Document.1-xml.eml.exe.5050000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.2691280.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: Document.1-xml.eml.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Document.1-xml.eml.exe
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_049116DA NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_0491169F NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F3850
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F89D8
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047FB2A8
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F2FA8
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F23A0
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F306F
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F95D8
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F969F
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: String function: 02410590 appears 43 times
        Source: Document.1-xml.eml.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Document.1-xml.eml.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.920117885.00000000007DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925330662.0000000004FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925621310.0000000005BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925039372.0000000004900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 00000015.00000002.910716613.0000000000658000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
        Source: 15.2.Document.1-xml.eml.exe.5050000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.5050000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.2691280.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.2691280.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Document.1-xml.eml.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.15.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/7@0/1
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_0491149A AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_04911463 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ec07ca6b-08b1-47be-b65b-f4ac1e815e5d}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3A3F.tmpJump to behavior
        Source: Document.1-xml.eml.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: Document.1-xml.eml.exeReversingLabs: Detection: 19%
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile read: C:\Users\user\Desktop\Document.1-xml.eml.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Document.1-xml.eml.exe 'C:\Users\user\Desktop\Document.1-xml.eml.exe'
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess created: C:\Users\user\Desktop\Document.1-xml.eml.exe 'C:\Users\user\Desktop\Document.1-xml.eml.exe'
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DCA.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Document.1-xml.eml.exe C:\Users\user\Desktop\Document.1-xml.eml.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp'
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DCA.tmp'
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: Document.1-xml.eml.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
        Source: Binary string: \??\C:\Windows\dll\System.pdb| source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\System.pdbxx source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb0 source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\dll\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: System.pdb H source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: 1hoC:\Windows\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: p}}bsymbols\dll\System.pdb} source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: r`indows\System.pdbpdbtem.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\assembly\GA.pdbL\System\2.0.0.0__b77a5c561934e089\System.dll source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.920175519.0000000000824000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\symbols\dll\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925330662.0000000004FF0000.00000002.00000001.sdmp
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeUnpacked PE file: 15.2.Document.1-xml.eml.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tineh:W;.rsrc:R; vs .text:ER;.reloc:R;.rsrc:R;
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeUnpacked PE file: 15.2.Document.1-xml.eml.exe.400000.0.unpack
        .NET source code contains potential unpackerShow sources
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: Document.1-xml.eml.exeStatic PE information: section name: .tineh
        Source: dhcpmon.exe.15.drStatic PE information: section name: .tineh
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 0_2_0042D761 push ecx; ret
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 0_2_02525A90 push eax; iretd
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_00749D74 push eax; retf
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_00749D78 pushad ; retf
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_007474B8 push ebp; ret
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_007474AC push ecx; ret
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_007498AB push ecx; retf 0074h
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 21_2_0042D761 push ecx; ret
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 21_2_02415A90 push eax; iretd
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 21_2_02415A92 pushad ; iretd
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 21_2_02415552 push esp; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0042D761 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_02385A90 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_02385A92 pushad ; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_02385552 push esp; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_02365A90 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_02365A98 pushad ; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_02365558 push esp; retf
        Source: initial sampleStatic PE information: section name: .text entropy: 7.96899648432
        Source: initial sampleStatic PE information: section name: .text entropy: 7.96899648432
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Users\user\Desktop\Document.1-xml.eml.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exe TID: 5376Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exe TID: 4184Thread sleep time: -180000s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_049111C2 GetSystemInfo,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\KERNELBASE.dll
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\MSCOREE.DLL
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.1_none_8ef454a057103afa
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\KERNEL32.dll
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925621310.0000000005BA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925621310.0000000005BA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925621310.0000000005BA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925621310.0000000005BA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 0_2_0042D8AA IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 0_2_0042D495 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 0_2_0042D8AA IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 21_2_0042D495 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 21_2_0042D8AA IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0042D495 SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0042D8AA IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp'
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DCA.tmp'
        Source: Document.1-xml.eml.exe, 0000000F.00000002.922034684.00000000027A3000.00000004.00000001.sdmpBinary or memory string: Program Manager(
        Source: Document.1-xml.eml.exe, 0000000F.00000002.920209989.0000000000863000.00000004.00000020.sdmpBinary or memory string: Program Managerh
        Source: Document.1-xml.eml.exe, 0000000F.00000002.921886937.000000000276D000.00000004.00000001.sdmp, Document.1-xml.eml.exe, 00000015.00000002.910901870.0000000000EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000016.00000002.909798594.0000000000E80000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.916065804.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmpBinary or memory string: Program Manager$
        Source: Document.1-xml.eml.exe, 0000000F.00000002.920264886.0000000000D60000.00000002.00000001.sdmp, Document.1-xml.eml.exe, 00000015.00000002.910901870.0000000000EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000016.00000002.909798594.0000000000E80000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.916065804.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Document.1-xml.eml.exe, 0000000F.00000002.920264886.0000000000D60000.00000002.00000001.sdmp, Document.1-xml.eml.exe, 00000015.00000002.910901870.0000000000EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000016.00000002.909798594.0000000000E80000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.916065804.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Document.1-xml.eml.exe, 0000000F.00000002.924594156.00000000028EB000.00000004.00000001.sdmpBinary or memory string: Program ManagerL
        Source: Document.1-xml.eml.exe, 0000000F.00000002.920264886.0000000000D60000.00000002.00000001.sdmp, Document.1-xml.eml.exe, 00000015.00000002.910901870.0000000000EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000016.00000002.909798594.0000000000E80000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.916065804.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 0_2_0042D7CE GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_0073AF9A GetUserNameW,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORY

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Document.1-xml.eml.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORY
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_049128F6 bind,
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_049128C3 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading2Input Capture21System Time Discovery1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection12Disable or Modify Tools1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information11Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemSystem Information Discovery4Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing33/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 452441 Sample: Document.1-xml.eml.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 9 other signatures 2->44 8 Document.1-xml.eml.exe 1 2 2->8         started        11 dhcpmon.exe 2 2->11         started        13 dhcpmon.exe 2 2->13         started        15 Document.1-xml.eml.exe 2 2->15         started        process3 signatures4 48 Detected unpacking (changes PE section rights) 8->48 50 Detected unpacking (overwrites its own PE header) 8->50 52 Uses schtasks.exe or at.exe to add and modify task schedules 8->52 17 Document.1-xml.eml.exe 1 15 8->17         started        process5 dnsIp6 36 194.5.98.136, 2888, 49759, 49760 DANILENKODE Netherlands 17->36 30 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->30 dropped 32 C:\Users\user\AppData\Roaming\...\run.dat, data 17->32 dropped 34 C:\Users\user\AppData\Local\...\tmp3A3F.tmp, XML 17->34 dropped 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 22 schtasks.exe 1 17->22         started        24 schtasks.exe 1 17->24         started        file7 signatures8 process9 process10 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Document.1-xml.eml.exe20%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe20%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        15.2.Document.1-xml.eml.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.1.Document.1-xml.eml.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.2.Document.1-xml.eml.exe.52f0000.8.unpack100%AviraTR/NanoCore.fadteDownload File
        15.2.Document.1-xml.eml.exe.36e7a58.3.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        194.5.98.1360%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        low
        194.5.98.136true
        • Avira URL Cloud: safe
        unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        194.5.98.136
        unknownNetherlands
        208476DANILENKODEtrue

        General Information

        Joe Sandbox Version:33.0.0 White Diamond
        Analysis ID:452441
        Start date:22.07.2021
        Start time:11:09:09
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 9m 11s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:Document.1-xml.eml.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:26
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@11/7@0/1
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 6.2% (good quality ratio 5.5%)
        • Quality average: 65.2%
        • Quality standard deviation: 31.4%
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/452441/sample/Document.1-xml.eml.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        11:11:10AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        11:11:11API Interceptor367x Sleep call for process: Document.1-xml.eml.exe modified
        11:11:12Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Document.1-xml.eml.exe" s>$(Arg0)
        11:11:13Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        194.5.98.136hiSgJfiWKR.exeGet hashmaliciousBrowse

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          DANILENKODE2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exeGet hashmaliciousBrowse
          • 194.5.98.212
          ynFBVCYIcu.exeGet hashmaliciousBrowse
          • 194.5.98.195
          #RFQ ORDER7678432213211.exeGet hashmaliciousBrowse
          • 194.5.98.120
          ORDER.exeGet hashmaliciousBrowse
          • 194.5.98.23
          Q_007880.exeGet hashmaliciousBrowse
          • 194.5.97.168
          eQqnH61qiB.exeGet hashmaliciousBrowse
          • 194.5.98.207
          B32E407DC3284184684B29FD5235CBEDF2B60F60AED84.exeGet hashmaliciousBrowse
          • 194.5.98.15
          MbBw6XTmif.exeGet hashmaliciousBrowse
          • 194.5.98.107
          Jose Luis Ezeiza.cv7-15-2021.exeGet hashmaliciousBrowse
          • 194.5.98.8
          t3uss3bjUL.exeGet hashmaliciousBrowse
          • 194.5.98.182
          Agree Ment Letter-34222876190544.exeGet hashmaliciousBrowse
          • 194.5.98.63
          purestub.exeGet hashmaliciousBrowse
          • 194.5.98.63
          RFQ4100003433189994565.exeGet hashmaliciousBrowse
          • 194.5.98.195
          Order0045439090.exeGet hashmaliciousBrowse
          • 194.5.98.8
          TPJCc3cswr.exeGet hashmaliciousBrowse
          • 194.5.97.44
          Proof of payment.exeGet hashmaliciousBrowse
          • 194.5.97.181
          Payment Schedule.xlsxGet hashmaliciousBrowse
          • 194.5.97.44
          FbJ8HGm3HU.exeGet hashmaliciousBrowse
          • 194.5.98.210
          sRXwLQjycE.exeGet hashmaliciousBrowse
          • 194.5.98.107
          elmPEd3zO7.exeGet hashmaliciousBrowse
          • 194.5.97.131

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Process:C:\Users\user\Desktop\Document.1-xml.eml.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):266240
          Entropy (8bit):7.69767681098034
          Encrypted:false
          SSDEEP:6144:ql3N9PSj4kLkfPYD/z+gw/MyxSGsjB3ERuGDKI0nDzvQbBxSxg9eDxjXTWOA/uu:SN9PSjvLEwDLfKR9I3EzeIEqBxSxg9e0
          MD5:4D48E3CBFC19B5729B6C7A968A957805
          SHA1:4863E913B2E5709D9ED8C5937AE046E2EDEEE152
          SHA-256:45CF5D850CA6806FD9B55EF35A2EBE8AA2D9B724B67F96EAC270C44D1A85E810
          SHA-512:D77C98A1A9A15C4BBD63ED573043634D6AF46955ABAD40446A22B78F0B821445C63D6EA02A604A0388D6ADBE460C8BA8178D9AF8E3735DDE3AC28F3435E269C2
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 20%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....q.^.....................2......z.............@.......................... ...............................................l..........................................................................@...............8...............H............text............................... ..`.rdata..B...........................@..@.data................l..............@....tineh.......p.......n..............@....rsrc................p..............@..@........................................................................................................................................................................................................................................................................................................................
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\Document.1-xml.eml.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:false
          Reputation:high, very likely benign file
          Preview: [ZoneTransfer]....ZoneId=0
          C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp
          Process:C:\Users\user\Desktop\Document.1-xml.eml.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1308
          Entropy (8bit):5.103875449395091
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YH5xtn:cbk4oL600QydbQxIYODOLedq3z5j
          MD5:F02D946FE2EDA095757A14A5D6B3BF6C
          SHA1:2AFBD7F5FBE2CA13357D9BE3DCAAF5F7162D32D4
          SHA-256:2BF693A2ADB49A20EE00B31714B8E284F8FE4090D4CEC038AC799DE677B91C03
          SHA-512:1BF8922586AEAD0DF782E6512FF8E80E952FA4895CA01991C0D8BD033E3B15F8D79D4C9DA7BD6A558540FE826D84280A5D3E0400599A37C0AA4970993C1F5049
          Malicious:true
          Reputation:low
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Local\Temp\tmp3DCA.tmp
          Process:C:\Users\user\Desktop\Document.1-xml.eml.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1310
          Entropy (8bit):5.109425792877704
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
          Process:C:\Users\user\Desktop\Document.1-xml.eml.exe
          File Type:data
          Category:modified
          Size (bytes):1624
          Entropy (8bit):7.024371743172393
          Encrypted:false
          SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC08
          MD5:0D79388CEC6619D612C2088173BB6741
          SHA1:8A312E3198009C545D0CF3254572189D29A03EA7
          SHA-256:D7D423B23D932E306F3CCB2F7A984B7036A042C007A43FD655C6B57B960BB8DF
          SHA-512:53BB3E9263DFD746E7E8159466E220E6EC9D81E9D3F0E1D191E09CD511B7EB93B0BA65D13CE0C97C652ECD0F69BB991E6B1840F961BC65003C4DD7AA93EEDA13
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Users\user\Desktop\Document.1-xml.eml.exe
          File Type:data
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:Ho:Ho
          MD5:74D4095194671D1DA20222ADFA1C18BC
          SHA1:4B47B8408E276625224DE42E215599003B266077
          SHA-256:3244CA869DD5C5746ACA3A8B6BD25780FE44BCD7AC82256D9DC93F42FDEE325A
          SHA-512:DC6C9A8BEA613BB3EC1CD9E123647EEB86587D9B6C20E25458F4D0EC2BB7FA6A81EF8209464E799CC8E500C96BE36C96D5E596C9C64139649567750BAE1870AC
          Malicious:true
          Preview: ..O..L.H
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
          Process:C:\Users\user\Desktop\Document.1-xml.eml.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):45
          Entropy (8bit):4.160383163865372
          Encrypted:false
          SSDEEP:3:oNt+WfWhKH9lPy7L4A:oNwvcd5yPN
          MD5:B6A68884FD59FC6156B731FD07370D3F
          SHA1:287D7FE38B4353680C61C163FF0FD407CA5D9161
          SHA-256:EB08A56415072B846D03AECB1A5FD7B9570F90F79F92D6C7DDD37ACFBF28ED19
          SHA-512:DBCFCC356E58E3DDB3679010BB4F3CEC3AF3AF0608E87E2008AF75A0B0D50832E9A8BF1BDF66C7973A5A91C28C82618E7C8CF5250A2EC570DF8874193F8A1815
          Malicious:false
          Preview: C:\Users\user\Desktop\Document.1-xml.eml.exe

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.69767681098034
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          • Win32 Executable (generic) a (10002005/4) 49.96%
          • Clipper DOS Executable (2020/12) 0.01%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:Document.1-xml.eml.exe
          File size:266240
          MD5:4d48e3cbfc19b5729b6c7a968a957805
          SHA1:4863e913b2e5709d9ed8c5937ae046e2edeee152
          SHA256:45cf5d850ca6806fd9b55ef35a2ebe8aa2d9b724b67f96eac270c44d1a85e810
          SHA512:d77c98a1a9a15c4bbd63ed573043634d6af46955abad40446a22b78f0b821445c63d6ea02a604a0388d6adbe460c8ba8178d9af8e3735dde3ac28f3435e269c2
          SSDEEP:6144:ql3N9PSj4kLkfPYD/z+gw/MyxSGsjB3ERuGDKI0nDzvQbBxSxg9eDxjXTWOA/uu:SN9PSjvLEwDLfKR9I3EzeIEqBxSxg9e0
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....q.^...

          File Icon

          Icon Hash:cca6dacac2cacac0

          Static PE Info

          General

          Entrypoint:0x42e87a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          DLL Characteristics:TERMINAL_SERVER_AWARE
          Time Stamp:0x5EF671D4 [Fri Jun 26 22:08:20 2020 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v2.0.50727
          OS Version Major:5
          OS Version Minor:0
          File Version Major:5
          File Version Minor:0
          Subsystem Version Major:5
          Subsystem Version Minor:0
          Import Hash:7bd0dc6ab22820cf89df2f4bb39531c5

          Entrypoint Preview

          Instruction
          jmp dword ptr [0042F214h]
          add esi, dword ptr [eax]
          add dword ptr [eax], eax
          pop es
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [esi], dl
          add byte ptr [edi+00h], 00000000h
          add al, 2Ah
          int3
          add esi, dword ptr [eax]
          add dword ptr [eax], eax
          pop es
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [esi], dl
          cmp byte ptr [2A040000h], FFFFFFCCh
          add esi, dword ptr [eax]
          add dword ptr [eax], eax
          pop es
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [esi], dl
          add byte ptr [edx+00h], 00000000h
          add al, 2Ah
          int3
          add esi, dword ptr [eax]
          add dword ptr [eax], eax
          pop es
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [esi], dl
          or byte ptr [edx+00h], 00000000h
          add al, 2Ah
          int3
          add esi, dword ptr [eax]
          add dword ptr [eax], eax
          pop es
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [esi], dl
          add byte ptr [ebp+00h], 00000000h
          add al, 2Ah
          int3
          add esi, dword ptr [eax]
          add dword ptr [eax], eax
          pop es
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [esi], dl
          or byte ptr [ebp+00h], 00000000h
          add al, 2Ah
          int3
          add esi, dword ptr [eax]
          add dword ptr [eax], eax
          pop es
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [esi], dl
          add byte ptr [eax+00h], 00000000h
          add al, 2Ah
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x36cbc0x104.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x9f88.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2f6180x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x2f0000x238.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x2f5b80x48.rdata
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x2d90b0x2da00False0.975037457192data7.96899648432IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0x2f0000x8d420x8e00False0.370956205986data6.01002219617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x380000xedd00x200False0.35546875data3.0016604882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .tineh0x470000xa0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .rsrc0x480000x9f880xa000False0.603100585938data6.13590130558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          PIXANAHUZASUPUYECUBUJIVAYUTID0x484940x100ASCII text, with no line terminatorsEnglishUnited States
          ZASIZO0x485940x2730ASCII text, with very long lines, with no line terminatorsEnglishUnited States
          RT_CURSOR0x4acc40x130data
          RT_ICON0x4adf40xea8data
          RT_ICON0x4bc9c0x8a8data
          RT_ICON0x4c5440x6c8data
          RT_ICON0x4cc0c0x568GLS_BINARY_LSB_FIRST
          RT_ICON0x4d1740x25a8data
          RT_ICON0x4f71c0x10a8data
          RT_ICON0x507c40x988dBase III DBT, version number 0, next free block index 40
          RT_ICON0x5114c0x468GLS_BINARY_LSB_FIRST
          RT_MENU0x515b40x63edata
          RT_ACCELERATOR0x51bf40x10data
          RT_GROUP_CURSOR0x51c040x14data
          RT_GROUP_ICON0x51c180x76data
          RT_VERSION0x51c900xa0dataFYRO MacedoniaMacedonia
          RT_MANIFEST0x51d300x256ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          MSVCR90.dll__CxxExceptionFilter, fwrite, __CxxRegisterExceptionObject, __CxxDetectRethrow, __CxxUnregisterExceptionObject, memmove_s, ??2@YAPAXI@Z, _invalid_parameter_noinfo, _CxxThrowException, __CxxQueryExceptionSize, calloc, fclose, _crt_debugger_hook, _controlfp_s, _invoke_watson, _except_handler4_common, _decode_pointer, _onexit, _lock, __dllonexit, _unlock, ?_type_info_dtor_internal_method@type_info@@QAEXXZ, ?terminate@@YAXXZ, __set_app_type, ??0exception@std@@QAE@XZ, ??_V@YAXPAX@Z, _encode_pointer, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _encoded_null, __FrameUnwindFilter, sprintf, free, fread, _configthreadlocale, _initterm_e, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit, __wgetmainargs, _amsg_exit, ??3@YAXPAX@Z, ??0exception@std@@QAE@ABV01@@Z, ?what@exception@std@@UBEPBDXZ, ??1exception@std@@UAE@XZ, ??0exception@std@@QAE@ABQBD@Z
          KERNEL32.dllGetNativeSystemInfo, CompareFileTime, LocalFileTimeToFileTime, GetSystemTimes, GetSystemRegistryQuota, ExitThread, VirtualProtect, GetModuleHandleA, GetLastError, GetModuleHandleW, SetLastError, GetFileType, FileTimeToSystemTime, InterlockedExchange, Sleep, InterlockedCompareExchange, GetStartupInfoW, SetUnhandledExceptionFilter, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetTapeParameters, IsProcessorFeaturePresent, LocalAlloc
          USER32.dllCreateWindowExA, ShowWindow, UpdateWindow, CreateCaret, GetCursor, AnyPopup, AdjustWindowRect, GetWindowRect, GetClientRect, LoadIconW, GetWindowTextLengthW
          GDI32.dllCreateDIBitmap, CreateEllipticRgn, SetPolyFillMode, StretchBlt, CreateDIBPatternBrush, EndPath, BitBlt, PlayMetaFileRecord, GetPath, FillPath, CreateDCA, BeginPath, CreateDiscardableBitmap
          ADVAPI32.dllRegSetValueW
          SHELL32.dllDragAcceptFiles
          MSIMG32.dllAlphaBlend, TransparentBlt
          COMCTL32.dll
          WINHTTP.dllWinHttpConnect, WinHttpOpen, WinHttpSetOption, WinHttpReadData, WinHttpOpenRequest
          MSVCP90.dll??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z, ??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ, ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z, ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z, ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
          mscoree.dll_CorExeMain

          Version Infos

          DescriptionData
          Translation0x0379 0x0514

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States
          FYRO MacedoniaMacedonia

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          07/22/21-11:11:12.962722TCP2025019ET TROJAN Possible NanoCore C2 60B497592888192.168.2.4194.5.98.136
          07/22/21-11:11:19.563619TCP2025019ET TROJAN Possible NanoCore C2 60B497602888192.168.2.4194.5.98.136
          07/22/21-11:11:25.992162TCP2025019ET TROJAN Possible NanoCore C2 60B497612888192.168.2.4194.5.98.136
          07/22/21-11:11:32.486124TCP2025019ET TROJAN Possible NanoCore C2 60B497622888192.168.2.4194.5.98.136
          07/22/21-11:11:39.847669TCP2025019ET TROJAN Possible NanoCore C2 60B497632888192.168.2.4194.5.98.136
          07/22/21-11:11:46.236718TCP2025019ET TROJAN Possible NanoCore C2 60B497642888192.168.2.4194.5.98.136
          07/22/21-11:11:53.077018TCP2025019ET TROJAN Possible NanoCore C2 60B497652888192.168.2.4194.5.98.136
          07/22/21-11:11:59.559867TCP2025019ET TROJAN Possible NanoCore C2 60B497662888192.168.2.4194.5.98.136

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jul 22, 2021 11:11:12.592813015 CEST497592888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:12.883517027 CEST288849759194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:12.883800983 CEST497592888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:12.962722063 CEST497592888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:13.606395006 CEST288849759194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:13.606518030 CEST497592888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:14.037622929 CEST288849759194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:14.037754059 CEST497592888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:14.602209091 CEST288849759194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:14.602355957 CEST497592888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:15.148144007 CEST288849759194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:15.148266077 CEST497592888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:15.148818016 CEST497592888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:19.224771023 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:19.558574915 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:19.558691978 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:19.563618898 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:19.878592968 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:19.878799915 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:20.281724930 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:20.281837940 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:20.636534929 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:20.636689901 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.324708939 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.507344961 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:21.507452011 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.677365065 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.761161089 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:21.761245966 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.765295982 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:21.765356064 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.771595001 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:21.771682024 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.788360119 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:21.788429022 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.795620918 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:21.795742989 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:21.961313963 CEST288849760194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:21.961429119 CEST497602888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:25.711618900 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:25.991308928 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:25.991410971 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:25.992161989 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:26.305160999 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:26.306144953 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:26.631170034 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:26.631310940 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:26.914752007 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:26.914968967 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.266488075 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.266598940 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.594352961 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.594456911 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.636521101 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.636692047 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.641618013 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.641710997 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.646330118 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.646414995 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.669251919 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.669362068 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.916445971 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.916543961 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.920372009 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.920449018 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.926597118 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.926675081 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.949554920 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.949659109 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.953742027 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.953824043 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.966689110 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.966775894 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.986541033 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.986668110 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:27.991364956 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:27.991472006 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.034370899 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.204392910 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.204529047 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.207381010 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.207462072 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.233453035 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.233578920 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.267460108 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.267533064 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.271339893 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.271421909 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.293776989 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.293883085 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.307588100 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.307751894 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.312741041 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.312807083 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.322635889 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.322679043 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.322735071 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.322766066 CEST497612888192.168.2.4194.5.98.136
          Jul 22, 2021 11:11:28.348462105 CEST288849761194.5.98.136192.168.2.4
          Jul 22, 2021 11:11:28.348566055 CEST497612888192.168.2.4194.5.98.136

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Start time:11:09:54
          Start date:22/07/2021
          Path:C:\Users\user\Desktop\Document.1-xml.eml.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\Document.1-xml.eml.exe'
          Imagebase:0x400000
          File size:266240 bytes
          MD5 hash:4D48E3CBFC19B5729B6C7A968A957805
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          General

          Start time:11:11:08
          Start date:22/07/2021
          Path:C:\Users\user\Desktop\Document.1-xml.eml.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\Document.1-xml.eml.exe'
          Imagebase:0x400000
          File size:266240 bytes
          MD5 hash:4D48E3CBFC19B5729B6C7A968A957805
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmp, Author: Florian Roth
          Reputation:low

          General

          Start time:11:11:10
          Start date:22/07/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp'
          Imagebase:0x260000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:11:11:10
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:11:11:11
          Start date:22/07/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DCA.tmp'
          Imagebase:0x260000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:11:11:11
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:11:11:12
          Start date:22/07/2021
          Path:C:\Users\user\Desktop\Document.1-xml.eml.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\Document.1-xml.eml.exe 0
          Imagebase:0x400000
          File size:266240 bytes
          MD5 hash:4D48E3CBFC19B5729B6C7A968A957805
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Reputation:low

          General

          Start time:11:11:13
          Start date:22/07/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Imagebase:0x400000
          File size:266240 bytes
          MD5 hash:4D48E3CBFC19B5729B6C7A968A957805
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Antivirus matches:
          • Detection: 20%, ReversingLabs
          Reputation:low

          General

          Start time:11:11:19
          Start date:22/07/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Imagebase:0x400000
          File size:266240 bytes
          MD5 hash:4D48E3CBFC19B5729B6C7A968A957805
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >