Play interactive tour

Edit tour

Windows Analysis Report RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Overview

General Information

Sample Name:	RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Analysis ID:	458308
MD5:	8c457878cc3c72ea684d3034837101e0
SHA1:	8aad02989c92c45252b7e41f0c712db31c0a1574
SHA256:	94dc3ceb75323f7b1bff7355da2d28804d4df36fa98a1335211101ef94bb2dda
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Yara detected AntiVM3

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe (PID: 4328 cmdline: 'C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe' MD5: 8C457878CC3C72EA684D3034837101E0)

schtasks.exe (PID: 980 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 5600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe (PID: 3528 cmdline: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe MD5: 8C457878CC3C72EA684D3034837101E0)

RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe (PID: 248 cmdline: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe MD5: 8C457878CC3C72EA684D3034837101E0)

RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe (PID: 5612 cmdline: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe MD5: 8C457878CC3C72EA684D3034837101E0)

RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe (PID: 1704 cmdline: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe MD5: 8C457878CC3C72EA684D3034837101E0)

RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe (PID: 4724 cmdline: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe MD5: 8C457878CC3C72EA684D3034837101E0)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7547b95a-3564-48ed-9de2-e9e7593f", "Group": "ikenna", "Domain1": "194.5.98.127", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x183fbd:$x1: NanoCore.ClientPluginHost 0x183ffa:$x2: IClientNetworkHost 0x187b2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x183d25:$a: NanoCore 0x183d35:$a: NanoCore 0x183f69:$a: NanoCore 0x183f7d:$a: NanoCore 0x183fbd:$a: NanoCore 0x183d84:$b: ClientPlugin 0x183f86:$b: ClientPlugin 0x183fc6:$b: ClientPlugin 0x183eab:$c: ProjectData 0x2dd371:$c: ProjectData 0x3d95a9:$c: ProjectData 0x1848b2:$d: DESCrypto 0x18c27e:$e: KeepAlive 0x18a26c:$g: LogClientMessage 0x186467:$i: get_Connected 0xb22b6:$j: #=q 0x184be8:$j: #=q 0x184c18:$j: #=q 0x184c34:$j: #=q 0x184c64:$j: #=q 0x184c80:$j: #=q
00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9a19e:$x1: NanoCore.ClientPluginHost 0x9a1db:$x2: IClientNetworkHost 0x9d587:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa820b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x99ff1:$a: NanoCore 0x9a001:$a: NanoCore 0x9a05c:$a: NanoCore 0x9a06b:$a: NanoCore 0x9a14a:$a: NanoCore 0x9a15e:$a: NanoCore 0x9a19e:$a: NanoCore 0xa4875:$a: NanoCore 0xa4887:$a: NanoCore 0xa48c3:$a: NanoCore 0x9a015:$b: ClientPlugin 0x9a0b5:$b: ClientPlugin 0x9a167:$b: ClientPlugin 0x9a1a7:$b: ClientPlugin 0xa4890:$b: ClientPlugin 0xa48cc:$b: ClientPlugin 0x5abd4:$c: ProjectData 0xa47c2:$c: ProjectData 0xb54c8:$c: ProjectData 0xb73f7:$c: ProjectData 0xcafab:$c: ProjectData
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x169541:$c: ProjectData 0x265779:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q
0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, CommandLine: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, CommandLine|base64offset|contains: m, Image: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, NewProcessName: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, OriginalFileName: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, ParentCommandLine: 'C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe' , ParentImage: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, ParentProcessId: 4328, ProcessCommandLine: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, ProcessId: 3528

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7547b95a-3564-48ed-9de2-e9e7593f", "Group": "ikenna", "Domain1": "194.5.98.127", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\DCBdvFPc.exe

ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Virustotal: Detection: 30%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\DCBdvFPc.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 194.5.98.127
Source: Malware configuration extractor	URLs: 127.0.0.1

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 0_2_00007FFA165F1069	0_2_00007FFA165F1069
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 4_2_004C9626	4_2_004C9626
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 5_2_005C9626	5_2_005C9626
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 6_2_00E39626	6_2_00E39626
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 7_2_00E69626	7_2_00E69626
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 8_2_004E9626	8_2_004E9626

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DCBdvFPc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.258514535.0000000000874000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.258791813.0000000000C59000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265911861.000000001C470000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265911861.000000001C470000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265290815.000000001BD60000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStoreElement.dllB vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259722065.00000000011C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameConfigNodeType.dll> vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265676778.000000001C370000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000004.00000000.251695079.00000000005E4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000005.00000002.253481024.00000000006E4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000006.00000000.254482952.0000000000F54000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000007.00000000.256067829.0000000000F84000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000008.00000002.258139772.0000000000604000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DCBdvFPc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/4@0/0

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

File created: C:\Users\user\AppData\Roaming\DCBdvFPc.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_01

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5F10.tmp

Jump to behavior

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

File read: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe 'C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe'
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp'
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Static file information: File size 1203712 > 1048576

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x120e00

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 0_2_00007FFA165F7B0C pushad ; iretd	0_2_00007FFA165F7B0D
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 0_2_00007FFA165FD19A push cs; retn 0000h	0_2_00007FFA165FD1B1
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 0_2_00007FFA165FC95F push cs; retn 0000h	0_2_00007FFA165FC971
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 0_2_00007FFA165FB427 push cs; retn 0000h	0_2_00007FFA165FB441
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 0_2_00007FFA165F4021 push cs; retn 0000h	0_2_00007FFA165F4025
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Code function: 0_2_00007FFA165F9C06 push es; retf	0_2_00007FFA165F9C07

Source: initial sample	Static PE information: section name: .text entropy: 7.70845208383
Source: initial sample	Static PE information: section name: .text entropy: 7.70845208383

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe	Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

File created: C:\Users\user\AppData\Roaming\DCBdvFPc.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp'

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (67).png

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: xls.exe

Static PE information: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe TID: 5840	Thread sleep time: -40406s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe TID: 2584	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Thread delayed: delay time: 40406			Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection11	Masquerading21	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information12	LSA Secrets	System Information Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	30%	Virustotal		Browse
RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\DCBdvFPc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\DCBdvFPc.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
194.5.98.127	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
194.5.98.127	true	Avira URL Cloud: safe	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458308
Start date:	03.08.2021
Start time:	08:31:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 14.1% (good quality ratio 9.5%) Quality average: 38.2% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 73% Number of executed functions: 37 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:32:29	API Interceptor	1x Sleep call for process: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.log Download File
Process:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	664
Entropy (8bit):	5.280979230295524
Encrypted:	false
SSDEEP:	12:Q3LaJcP0/9UkB9t0kaHYGLi1B01kKVdisk70OAEaANv:ML2pBLaYgioQxAfA9
MD5:	4F9B2B715AECAC008745D08674616098
SHA1:	C57514C4DD41B45672DA1B05D487E72D46F000AC
SHA-256:	E3A1D0AC3EC711220FADB6166C7C40078134ED136865BCB35DF2034091CB66A9
SHA-512:	4F26878A7FF989DF363B1E55614D856408C44B7F970AA725F1B7C1431D52A7793BFAA22F53897CCF7469E52615550B06FCDBC1A6D51CC5390B2C87FD8559037B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Remo#\bc6a0a01a7bd9d05ca132f229184fce6\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp5F10.tmp Download File
Process:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.170850892375768
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3tn:cbhC7ZlNQF/rydbz9I3YODOLNdq3X
MD5:	D0B8C7DFE85A2E2E892799522AE2047E
SHA1:	575197E95711C9B507A46594C816DB44D9F23D7E
SHA-256:	B078D571D2675B6B56E0529CCB06754785970F3CB225AED532C1987A3034B0B8
SHA-512:	45F535890A75548586ACFA76BBB0DB9DE8C4A49BDAF03772AE234278D997C09C2BC10AA6F43BAB1F0DAF17C3773F3BC243A13CB1869554C133EE8C53FA5341CE
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\DCBdvFPc.exe Download File
Process:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1203712
Entropy (8bit):	7.695986682629614
Encrypted:	false
SSDEEP:	24576:lrQ9Pmo5Hu99hpsqpBEae4tBI8vNRwiPXToUE1LXBc:hQMo5Hg39DwiPjKJ
MD5:	8C457878CC3C72EA684D3034837101E0
SHA1:	8AAD02989C92C45252B7E41F0C712DB31C0A1574
SHA-256:	94DC3CEB75323F7B1BFF7355DA2D28804D4DF36FA98A1335211101EF94BB2DDA
SHA-512:	2DD8D56814AD511C06A4E331F43B1C4F766C3868F1254B37EFDF173FBCCF1D3887F834A5483936E19431E047505BA8881603D2277203DDE5F0A16A81C467A1C5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..a.........."...P......N......z-... ...@....@.. ....................................@.................................(-..O....@...K........................................................................... ............... ..H............text........ ...................... ..`.rsrc....K...@...L..................@..@.reloc...............\..............@..B................\-......H...........,...........HV...............................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....o....($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+...0......

C:\Users\user\AppData\Roaming\DCBdvFPc.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.695986682629614
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
File size:	1203712
MD5:	8c457878cc3c72ea684d3034837101e0
SHA1:	8aad02989c92c45252b7e41f0c712db31c0a1574
SHA256:	94dc3ceb75323f7b1bff7355da2d28804d4df36fa98a1335211101ef94bb2dda
SHA512:	2dd8d56814ad511c06a4e331f43b1c4f766c3868f1254b37efdf173fbccf1d3887f834a5483936e19431e047505ba8881603d2277203dde5f0a16a81c467a1c5
SSDEEP:	24576:lrQ9Pmo5Hu99hpsqpBEae4tBI8vNRwiPXToUE1LXBc:hQMo5Hg39DwiPjKJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..a.........."...P......N......z-... ...@....@.. ....................................@................................

File Icon


Icon Hash:	c49a0894909c6494

Static PE Info

General
Entrypoint:	0x522d7a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6108AB7A [Tue Aug 3 02:35:38 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x122d28	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x124000	0x4bd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x120d80	0x120e00	False	0.867353147988	data	7.70845208383	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x124000	0x4bd0	0x4c00	False	0.460166529605	data	6.05100869041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x124190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x1245f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 1134929317, next used block 44344484
RT_ICON	0x1256a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x127c48	0x30	data
RT_VERSION	0x127c78	0x398	data
RT_MANIFEST	0x128010	0xbbe	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	ResourceManagerMediat.exe
FileVersion	1.0.0.0
CompanyName	flextronics
LegalTrademarks	flex
Comments	flex spare part room
ProductName	Spare Part
ProductVersion	1.0.0.0
FileDescription	Spare Part
OriginalFilename	ResourceManagerMediat.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328 Parent PID: 5552

General

Start time:	08:32:27
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe'
Imagebase:	0x750000
File size:	1203712 bytes
MD5 hash:	8C457878CC3C72EA684D3034837101E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 980 Parent PID: 4328

General

Start time:	08:32:37
Start date:	03/08/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp'
Imagebase:	0x7ff7d8ce0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5600 Parent PID: 980

General

Start time:	08:32:38
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 3528 Parent PID: 4328

General

Start time:	08:32:39
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Imagebase:	0x4c0000
File size:	1203712 bytes
MD5 hash:	8C457878CC3C72EA684D3034837101E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 248 Parent PID: 4328

General

Start time:	08:32:39
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Imagebase:	0x5c0000
File size:	1203712 bytes
MD5 hash:	8C457878CC3C72EA684D3034837101E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 5612 Parent PID: 4328

General

Start time:	08:32:40
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Imagebase:	0xe30000
File size:	1203712 bytes
MD5 hash:	8C457878CC3C72EA684D3034837101E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 1704 Parent PID: 4328

General

Start time:	08:32:41
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Imagebase:	0xe60000
File size:	1203712 bytes
MD5 hash:	8C457878CC3C72EA684D3034837101E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4724 Parent PID: 4328

General

Start time:	08:32:41
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe
Imagebase:	0x7ff797770000
File size:	1203712 bytes
MD5 hash:	8C457878CC3C72EA684D3034837101E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328 Parent PID: 5552 RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exeCOMMON

Executed Functions

Function 00007FFA165F1069, Relevance: 8.1, Strings: 4, Instructions: 3105COMMON

Download Yara Rule

Strings

Plhs, xrefs: 00007FFA165F1143
Plhs, xrefs: 00007FFA165F11B1
Plhs, xrefs: 00007FFA165F10D5
Plhs, xrefs: 00007FFA165F121F

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID: Plhs$Plhs$Plhs$Plhs
API String ID: 0-3098030691
Opcode ID: a2a33aafa11a87ebe0626365632077e14a1b7d61355c666ed27d0675fe0330ca
Instruction ID: 932acf69703196bc1f37c4ab22cfe7eb8f200ef83067aaf6a3c0b961c9ec3fb3
Opcode Fuzzy Hash: a2a33aafa11a87ebe0626365632077e14a1b7d61355c666ed27d0675fe0330ca
Instruction Fuzzy Hash: 6843127151CBC88FD7A5EF18C454F9ABBE1FF9A340F1545AAD08CC7262DA34A981CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F54A0, Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

i, xrefs: 00007FFA165F54B7

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID: i
API String ID: 0-3865851505
Opcode ID: 887060d9fcc054415833e95e137c89d2179ec4a8adb4b37dd0dac463d19d8c89
Instruction ID: 4f76fc7379ebab07fcddec99ae81e79f66b98911c4f6cad2efa518b9946ec368
Opcode Fuzzy Hash: 887060d9fcc054415833e95e137c89d2179ec4a8adb4b37dd0dac463d19d8c89
Instruction Fuzzy Hash: 1AC1317191D7828FE361DF28C440BAAB7E4BF5A364F11997DE09DCB391DA38A4408F42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F9548, Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

:, xrefs: 00007FFA165F96AB

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 1a60f00de8b63ee612813c33f477c37e4bdb016dbc2522b6c6b42847c7dbd2ea
Instruction ID: 35877132aec0dc2568946678a474b21d5fcef366db73b8c991189bd75359f861
Opcode Fuzzy Hash: 1a60f00de8b63ee612813c33f477c37e4bdb016dbc2522b6c6b42847c7dbd2ea
Instruction Fuzzy Hash: AB517D7051CB858FE355DB28C45879ABBF0FF86314F5549AEE099C72A2DB789808CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F0980, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d736b90248db06f483c7848086563ee5c8d58f6de124a32202fb5b24e298754b
Instruction ID: 809c80150e7776ec4126cda09dfef4e53f279bab5df2540da3108d47a4097fe1
Opcode Fuzzy Hash: d736b90248db06f483c7848086563ee5c8d58f6de124a32202fb5b24e298754b
Instruction Fuzzy Hash: D1B1A670518A8D8FEBA5DF28C854BE93BE0FF1A310F5944A5E84CCB292DB34E945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F4E20, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524eadb1b19eae24235732997698c23895e2d075282d2a11a357efc59db67844
Instruction ID: a4a04a9dd796e1a31dbb6df8ed1d8e1ce3b6f6d1aeae901e738d1de0449b98b6
Opcode Fuzzy Hash: 524eadb1b19eae24235732997698c23895e2d075282d2a11a357efc59db67844
Instruction Fuzzy Hash: 5A91007091CB898FE7E0EB28C455BAAB7E1FF99310F51997DE08DC7251DE34A8418B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F7843, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e07a18eb1011d82c229817c5ac0dcaef42e55a429fc0b7281acd7ffcb66012
Instruction ID: 118619bfed55076c9c6ce9678c40baeba8f21544210c45ccbfe04fd961c45720
Opcode Fuzzy Hash: e9e07a18eb1011d82c229817c5ac0dcaef42e55a429fc0b7281acd7ffcb66012
Instruction Fuzzy Hash: 88917A7141DBC58FD3629B28C855B95BFF0FF57310F5605EEE089CB2A2DA289844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F5A4E, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf7ebd00696dc28b571a9b894e29115ff6bf28366ee29d43fe2aa7a0242235a
Instruction ID: f64523877bcfe61445c02c225202c99c9d9274c8b16ac313e23950b93c4a44b5
Opcode Fuzzy Hash: bcf7ebd00696dc28b571a9b894e29115ff6bf28366ee29d43fe2aa7a0242235a
Instruction Fuzzy Hash: 1BA1DD7091C7868FE7B0DF68C044BAAB7E4BF6A365F11987DE08DCB351DA34A4408B52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F000A, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b88e366bc9122a68e3ec15f360fe26aeb3b51f2b3fb9eca44222ce9765432b
Instruction ID: 5f295795d9750d82f438f4601609f4f4b5c2efc47d0cbee7c53a37a20be941a9
Opcode Fuzzy Hash: 02b88e366bc9122a68e3ec15f360fe26aeb3b51f2b3fb9eca44222ce9765432b
Instruction Fuzzy Hash: 4351FA9294EBC65FE7539B649C351A03FB8AF17220B4E50EBD08CCE1E3D5586909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F7CD0, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d154a4cf26b299ca9aac54eb53639302223a8f90fd4c2732aa9ef5a3c8ec44
Instruction ID: 66350c45154bd37225f69d34bb65a4b49c030a18483b94cc33c0802095536098
Opcode Fuzzy Hash: 13d154a4cf26b299ca9aac54eb53639302223a8f90fd4c2732aa9ef5a3c8ec44
Instruction Fuzzy Hash: 7451E26191CB858FE3A1DB28C8557B9BBD0FF5A310F4985AED08CC7293DA3898048F53

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F4091, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b42497e7f7021b1923c31dfd8e3e11086b0d95cb9db9f9a2f08feb327861e6b
Instruction ID: d4ffcecc89e2d28730c1bbe6171eb1337e046be4103646ceb748d2b3a6f42943
Opcode Fuzzy Hash: 0b42497e7f7021b1923c31dfd8e3e11086b0d95cb9db9f9a2f08feb327861e6b
Instruction Fuzzy Hash: D651327192CB848FE390DB18C455B69BBE0FF9A310F9054BDE08DC7392DA74A844CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165FA986, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4576e494dfe1a7ae1ffebdad17f5765e36ad871313e3a98d195e0e92a7bfcb
Instruction ID: f2b45333dd6cbdb3fa35e4e4eb5e9e92be52ab96ba3ae4025fa8032745177990
Opcode Fuzzy Hash: bc4576e494dfe1a7ae1ffebdad17f5765e36ad871313e3a98d195e0e92a7bfcb
Instruction Fuzzy Hash: 0C51097050D7C58FE752DB28C850B95BBF0FF4A310F4959AEE0C9CB2A2D6789845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F3EE9, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77077004df720a3d4e59961b37969c002531750aa888e267af9de0888c765aa4
Instruction ID: b923a71aab9882dea2b23b139421169340ba126566da932ad94639a7f4a5716b
Opcode Fuzzy Hash: 77077004df720a3d4e59961b37969c002531750aa888e267af9de0888c765aa4
Instruction Fuzzy Hash: 3931537191CBC48FE785EB28C455B69BBE0FF9A310F4545AEE08DC72A3DA24D9448B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F78CF, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8642882358ce5d14d72c109de967b7c5eb372cec669122f550e831a4cea5ae
Instruction ID: a9fdd0fe52b7ee2be179c0b3b9c88e8620f8d83101381ef5cc343b174a19288f
Opcode Fuzzy Hash: 2f8642882358ce5d14d72c109de967b7c5eb372cec669122f550e831a4cea5ae
Instruction Fuzzy Hash: 11418F7141DB858FE361DF28C495796BFF0FB5A310F5549AEE089C72A2DB349404CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F4735, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d534bf9a7b1c65c9a6e23a4a3d1e24c01c4dd5203388d7b1a307cfc18c13acb1
Instruction ID: a8af269f7c37b35fabbe67ef24a016f9493503ee482b4393ac8ba03c92414c58
Opcode Fuzzy Hash: d534bf9a7b1c65c9a6e23a4a3d1e24c01c4dd5203388d7b1a307cfc18c13acb1
Instruction Fuzzy Hash: 3631617190D7818FD340CF28C44556ABFE4BF4A324F4699BDE48CCB252EB28D801CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165FD5D2, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa87299437951138e2685fb07d69ed259b69fd6742eee2522cc4d9477384ed5
Instruction ID: 0ec5deccf5dff11945934a7fa71816537d5b376a645ba39003d090f9c8b5c33e
Opcode Fuzzy Hash: 0aa87299437951138e2685fb07d69ed259b69fd6742eee2522cc4d9477384ed5
Instruction Fuzzy Hash: BC315C7040CBC58FC782DB28C455A567FF0EF5A321F5949AEF0C9CB2A2D628E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F0F91, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff634a6fde6b9952104cb29acd4c8dd81c431463966a07cfb962983a3d2385c7
Instruction ID: 29427a8797ac923461cb8aeaa248d49fd612430c6ee58a02004b774ce95a4aa1
Opcode Fuzzy Hash: ff634a6fde6b9952104cb29acd4c8dd81c431463966a07cfb962983a3d2385c7
Instruction Fuzzy Hash: 952128B244DB844FE341D728CC969697BB4FF9A221F4A45BAD08CCF1A3D518AC05C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165FB444, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cde95d3508eeb261aa85c3ffd1332ac9d33f1adc5af83aedb45390a6fab5e73
Instruction ID: 32aa0a3d2207e9a98f90db265d46e4b1eca9e7de2c366682c12760b492b17725
Opcode Fuzzy Hash: 5cde95d3508eeb261aa85c3ffd1332ac9d33f1adc5af83aedb45390a6fab5e73
Instruction Fuzzy Hash: AA21927041CB868FD301DF28C44066ABBE0FB8A329F464A7EE08DD7252D778DA448F06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F8DB1, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea983bc5a54c7fa13b9b9d2eddd5aa50e53e2c4e84bd5b74aa4f0fa3802f463
Instruction ID: d0bb781f221e24658066cd943f0632fe6c5fbd89a0025e5e831e1a1b9b15dc6e
Opcode Fuzzy Hash: 8ea983bc5a54c7fa13b9b9d2eddd5aa50e53e2c4e84bd5b74aa4f0fa3802f463
Instruction Fuzzy Hash: 73211D3061CB459FDB84EF28C094A6AB7F0FF99315F51693EF08AD7261D634E8408B06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F4760, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48a9c82dfd5008e462e7cfe0e5ee20c2706c95cfa65bba7302e8dc7835066d0
Instruction ID: fa99216c67688da2464f54410e25d0a3e72f2a85d2774d9d7b0b7a352e09d36e
Opcode Fuzzy Hash: b48a9c82dfd5008e462e7cfe0e5ee20c2706c95cfa65bba7302e8dc7835066d0
Instruction Fuzzy Hash: F4218471A1DB828BE744CF28C84512A7BD4BF8E224F419E7DF08CDB341EB28D9018B46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F4395, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4dc3cd3a955e15dfbe926c667a9d79a3f6ea5a861bcafa2e15814c4d438b390
Instruction ID: 1c4ca8bd68bfecfbe6d027e8dbdeb282715100cd4885f592b6890ff33abaf938
Opcode Fuzzy Hash: d4dc3cd3a955e15dfbe926c667a9d79a3f6ea5a861bcafa2e15814c4d438b390
Instruction Fuzzy Hash: D511E75281EBC45FE386972889125743FB0AF5B260F5A65F7E08CCB2E3D91899448B62

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F0781, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49df4edcced66bc1b0a38615f8db703b1793e877751ea44c7bd385e211c671e
Instruction ID: ffe6dc92baf80e2cb12f155551e0acb62928f7932849b5fb93969f49b3ca073f
Opcode Fuzzy Hash: a49df4edcced66bc1b0a38615f8db703b1793e877751ea44c7bd385e211c671e
Instruction Fuzzy Hash: 9901F9A184DF855FD741E718C8557657FE0FF4A310F4A45F9F08CCB2A2DA24A805CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F06ED, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6bc387956eb6d1a2103bb2d4fd2c2b88f224862c2fef6c006ff568bb513e48d
Instruction ID: 09b7580bec4162b76106a9a9ab8da8ab9891593eb3d0ba041ae4e27faca3066c
Opcode Fuzzy Hash: f6bc387956eb6d1a2103bb2d4fd2c2b88f224862c2fef6c006ff568bb513e48d
Instruction Fuzzy Hash: 4901D83197DA496BE354DB28C891E667B92FFC6200F84A8F9F04DC72F2DD196809CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F0361, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413bb1482be9f6b975d36b157de5ae7bd48077abfeea9a34afd435972fb645f4
Instruction ID: 32b9f024dfd89046811e520b8480ae61a4f2acc857ecee01b468cd28f3e1d8d0
Opcode Fuzzy Hash: 413bb1482be9f6b975d36b157de5ae7bd48077abfeea9a34afd435972fb645f4
Instruction Fuzzy Hash: 0E01926150DB885FE382D718C854B697FE0FF5A260F4945EAE08CDB2A2D6289944CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F4CE2, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67d940434b3d50d73a4fe1623ac385f4a9493b6c01ea648a9624847dfc1b85d
Instruction ID: f47058f8087164c580ab4d0b8fef21b77ebe927319c58c945bac5dd227a551fe
Opcode Fuzzy Hash: f67d940434b3d50d73a4fe1623ac385f4a9493b6c01ea648a9624847dfc1b85d
Instruction Fuzzy Hash: 2701FC7184EB844FD745DB18C8521587FF0FF6B210F8699AEE048C72A3D529D845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F8C48, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b6a817007003e39cab12169201e6fcb6f26d6d069af3bda23325e3cbbd21ba
Instruction ID: 39cbf3a0a59dd07be03e9a3b80cf20b7c542797b94e471b4c86a2b9349ed712d
Opcode Fuzzy Hash: 17b6a817007003e39cab12169201e6fcb6f26d6d069af3bda23325e3cbbd21ba
Instruction Fuzzy Hash: 9001927044EBC58FD301CB18C8517157FF0EF8A314F4646DAE48CCB2A3D2259945C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F3E75, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfced9cdebd3597747778262714a12bdee4076cdc68ba11f444c82aa9eb1bc9
Instruction ID: a50215187da775b75e027202f3eb5180c34b66c07f012207204f40482db3b994
Opcode Fuzzy Hash: fdfced9cdebd3597747778262714a12bdee4076cdc68ba11f444c82aa9eb1bc9
Instruction Fuzzy Hash: 2AF0317150CB899FD741CB1CC445715BFE0FF4A264F4945AAE48CD7362D73899488B52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F986B, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5714f2a78060aae0427f2cfc79ab5d132f85af5724e2e12b8083b2c9da8747b1
Instruction ID: 4e121005c119c2bcf41a1b1ed8abcde37ea9bc34d1425a5aac76f6f0d72bccc1
Opcode Fuzzy Hash: 5714f2a78060aae0427f2cfc79ab5d132f85af5724e2e12b8083b2c9da8747b1
Instruction Fuzzy Hash: 14119B3461CB499FD7B4EF28C084B9BB7E0FBAA310F505969908DC7251DA34E441CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F8BD5, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a093b0bdce2e9a3fffd7840796419abbf70d5f116a8925b47706d32b8bdab31a
Instruction ID: 4f39bfa8da74ded6b6b7145534e33537921077bba821b33dc9c8dbd7c6266360
Opcode Fuzzy Hash: a093b0bdce2e9a3fffd7840796419abbf70d5f116a8925b47706d32b8bdab31a
Instruction Fuzzy Hash: 7E01297191CB0A9FD710DF24C440A6AB7E0FB89364F458A7DE08EDB250D678E6818F46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165FCEA1, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11f67d4deb71146698430b5f829101cbeac8506d51ac4c706f8c9be720d2fac
Instruction ID: 635ab889fe56f102f4876fb181e145904c79c92e7fc17a05a8603021a2ca78af
Opcode Fuzzy Hash: a11f67d4deb71146698430b5f829101cbeac8506d51ac4c706f8c9be720d2fac
Instruction Fuzzy Hash: 5D01DA3090CB898FDB94EB58C054A6AB7E1FB99350F51496DE08DC7361DB34E480CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F8722, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b520cebc2f25a3bcaf34ccc96da375317b5d8addc4a565006a936ddd0c1c462
Instruction ID: e8edc5d3a59f78dd05d976dd2406feed8a8090d74b52af21f0d6ddedf977f54c
Opcode Fuzzy Hash: 5b520cebc2f25a3bcaf34ccc96da375317b5d8addc4a565006a936ddd0c1c462
Instruction Fuzzy Hash: 0B01283062CA168FD314EF2CC54065ABBF0FBAA350F01583DF18AC7260E639E8418F42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F5DEA, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2492e93e9cd265922688ef09f2977affd1873f9199cf818e520a3f979ab5a40a
Instruction ID: fefc499522eeb4284f64a39729856a1205e27e20631cf91e9ad8e7e4d4b57e5e
Opcode Fuzzy Hash: 2492e93e9cd265922688ef09f2977affd1873f9199cf818e520a3f979ab5a40a
Instruction Fuzzy Hash: D2F03792C4EBC65FF35213A44D562B42F609F13268B4F94F6D48DCF1E3E40855594B52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F9859, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a9c7f9e30cfa37fc6ff30aac769ca8a8eaa86e63a14163a47b668741f0ead4
Instruction ID: 5403e2df147f297f2a4155c1bea53de1e5b17896e3773c84859dda2505c76a76
Opcode Fuzzy Hash: 82a9c7f9e30cfa37fc6ff30aac769ca8a8eaa86e63a14163a47b668741f0ead4
Instruction Fuzzy Hash: 0A01087450CB869FE766DF24C08065ABBF0BF9A321F6158AED09ECB252DA349501CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F9FED, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecb837af0336b7592891e065add981aaa1fb48087727f151d9a50b9aac0f578
Instruction ID: c26a09ccc317857c080f1cb61c60e8c52768782562b961e17767e3860c2a034b
Opcode Fuzzy Hash: fecb837af0336b7592891e065add981aaa1fb48087727f151d9a50b9aac0f578
Instruction Fuzzy Hash: E101FBB050D7809FD365DF28C4556DABBE0EF8A314F5049ADE0898B261DB349941CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F6E2B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d42a252c8eeeda3292d6c963f4331b69149c2c24d7ad5492412122455b30377
Instruction ID: f748bd55905db39c7ee7be0d0fc18009e5c4f37a557968af53cfa59b998060a4
Opcode Fuzzy Hash: 6d42a252c8eeeda3292d6c963f4331b69149c2c24d7ad5492412122455b30377
Instruction Fuzzy Hash: 6FF0A07295CB868FE2A4CB18C4C612BBBD0FB9D320F054979A14DC7381DA30E8419F52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F62B1, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42405b97c1e2a95d4fe584fb53335bd6b4ab0c08c7deda52e70d247ba3fc548b
Instruction ID: 79dc266b6c6c0e027f8b372c248a1ad8170cc36498549b44adc1fcd57df493ff
Opcode Fuzzy Hash: 42405b97c1e2a95d4fe584fb53335bd6b4ab0c08c7deda52e70d247ba3fc548b
Instruction Fuzzy Hash: 86F0303151C7858FD3A4DB24C540B6EBBE0AF9A350F008D7AD08DCB2A2CE3068408B11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165F7B55, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524b63429ecd109c779d46e3af273e8f8d2998a5461675e93249c9923d551bbc
Instruction ID: ae8b1f5920057f4324c0a376b2f9b608ebc96205887218b2bc5e0f631e3f1376
Opcode Fuzzy Hash: 524b63429ecd109c779d46e3af273e8f8d2998a5461675e93249c9923d551bbc
Instruction Fuzzy Hash: E4D0127061C6859FD391DB18D141F2ABBE0AF85340F415868F089C7660CA20D840CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA165FA0EE, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266369096.00007FFA165F0000.00000040.00000001.sdmp, Offset: 00007FFA165F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d0686a5bc5f900c34541f62c52e68a3f567d758cc42681d147e54c1f854648
Instruction ID: 08a7a96ad9b2a565c2869b0709cb2d46b4914fe237563daa9806b1a59df160da
Opcode Fuzzy Hash: e0d0686a5bc5f900c34541f62c52e68a3f567d758cc42681d147e54c1f854648
Instruction Fuzzy Hash: 05C0122045CE035AE3109B30D28045B77E06F51650F116D3AB05BC9271E920E9004E51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior