Play interactive tour

Edit tour

Windows Analysis Report doc_2021_98666_SIGNED - PRO FACTURA.exe

Overview

General Information

Sample Name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Analysis ID:	458632
MD5:	532b5c7f4e3212a0d05e51c85864caf6
SHA1:	9a46dd2c45b724e23a0e3d316eb7fbc16b144e19
SHA256:	46510a62d266a7663f6cbe0a7ffbbba5019a6c890512e5d050b667a8b44f6ea6
Tags:	exenull
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

doc_2021_98666_SIGNED - PRO FACTURA.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe' MD5: 532B5C7F4E3212A0D05E51C85864CAF6)

schtasks.exe (PID: 6744 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\bWuIYd' /XML 'C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

doc_2021_98666_SIGNED - PRO FACTURA.exe (PID: 6788 cmdline: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe MD5: 532B5C7F4E3212A0D05E51C85864CAF6)

doc_2021_98666_SIGNED - PRO FACTURA.exe (PID: 6804 cmdline: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe MD5: 532B5C7F4E3212A0D05E51C85864CAF6)

doc_2021_98666_SIGNED - PRO FACTURA.exe (PID: 6820 cmdline: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe MD5: 532B5C7F4E3212A0D05E51C85864CAF6)

doc_2021_98666_SIGNED - PRO FACTURA.exe (PID: 6836 cmdline: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe MD5: 532B5C7F4E3212A0D05E51C85864CAF6)

doc_2021_98666_SIGNED - PRO FACTURA.exe (PID: 6848 cmdline: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe MD5: 532B5C7F4E3212A0D05E51C85864CAF6)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7547b95a-3564-48ed-9de2-e9e7593f", "Group": "ikenna", "Domain1": "194.5.98.127", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x67f4c5:$x1: NanoCore.ClientPluginHost 0x67f502:$x2: IClientNetworkHost 0x683035:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x67f22d:$a: NanoCore 0x67f23d:$a: NanoCore 0x67f471:$a: NanoCore 0x67f485:$a: NanoCore 0x67f4c5:$a: NanoCore 0x67f28c:$b: ClientPlugin 0x67f48e:$b: ClientPlugin 0x67f4ce:$b: ClientPlugin 0x67f3b3:$c: ProjectData 0x93581f:$c: ProjectData 0x67fdba:$d: DESCrypto 0x687786:$e: KeepAlive 0x685774:$g: LogClientMessage 0x68196f:$i: get_Connected 0x6800f0:$j: #=q 0x680120:$j: #=q 0x68013c:$j: #=q 0x68016c:$j: #=q 0x680188:$j: #=q 0x6801a4:$j: #=q 0x6801d4:$j: #=q
Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x497ae7:$x1: NanoCore.ClientPluginHost 0x497b24:$x2: IClientNetworkHost 0x49ae7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4a5ad8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x497944:$a: NanoCore 0x497954:$a: NanoCore 0x4979a5:$a: NanoCore 0x4979b4:$a: NanoCore 0x497a93:$a: NanoCore 0x497aa7:$a: NanoCore 0x497ae7:$a: NanoCore 0x4a2142:$a: NanoCore 0x4a2154:$a: NanoCore 0x4a2190:$a: NanoCore 0x497968:$b: ClientPlugin 0x4979fe:$b: ClientPlugin 0x497ab0:$b: ClientPlugin 0x497af0:$b: ClientPlugin 0x4a215d:$b: ClientPlugin 0x4a2199:$b: ClientPlugin 0x3a54:$c: ProjectData 0x375ae:$c: ProjectData 0x46437:$c: ProjectData 0x48366:$c: ProjectData 0x22b9ee:$c: ProjectData
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x2c64e7:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
Click to see the 2 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7547b95a-3564-48ed-9de2-e9e7593f", "Group": "ikenna", "Domain1": "194.5.98.127", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\bWuIYd.exe	Virustotal: Detection: 24%			Perma Link
Source: C:\Users\user\AppData\Roaming\bWuIYd.exe	ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Show sources

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe	Virustotal: Detection: 24%			Perma Link
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe	ReversingLabs: Detection: 42%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\bWuIYd.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe

Joe Sandbox ML: detected

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 194.5.98.127
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.667857482.0000000002F51000.00000004.00000001.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: doc_2021_98666_SIGNED - PRO FACTURA.exe

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Code function: 0_2_00007FFA35F95054		0_2_00007FFA35F95054
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Code function: 0_2_00007FFA35F910CD		0_2_00007FFA35F910CD

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.667691107.0000000002DA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameConfigNodeType.dll> vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000000.649095168.0000000000BA8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeL.exe6 vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.674200296.000000001BEA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStoreElement.dllB vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.674762014.000000001C730000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.674762014.000000001C730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.674584716.000000001C630000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.667705643.0000000002DC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.666640896.000000000106F000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000006.00000000.660097097.0000000000E78000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeL.exe6 vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000007.00000002.661881271.0000000000D98000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeL.exe6 vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000008.00000000.662860887.0000000000D18000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeL.exe6 vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000009.00000000.664282260.0000000000CD8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeL.exe6 vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 0000000A.00000000.665605671.00000000008E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeL.exe6 vs doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe	Binary or memory string: OriginalFilenameUCOMITypeL.exe6 vs doc_2021_98666_SIGNED - PRO FACTURA.exe

Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bWuIYd.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/4@0/0

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

File created: C:\Users\user\AppData\Roaming\bWuIYd.exe

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Mutant created: \Sessions\1\BaseNamedObjects\ChziVbx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_01

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

File created: C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp

Jump to behavior

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe	Virustotal: Detection: 24%
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

File read: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe 'C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe'
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\bWuIYd' /XML 'C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp'
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\bWuIYd' /XML 'C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe

Static file information: File size 1202688 > 1048576

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x124600

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Code function: 0_2_00007FFA35F97713 push ebx; retf		0_2_00007FFA35F9771A
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Code function: 0_2_00007FFA35F97F17 push ebx; ret		0_2_00007FFA35F97F1A

Source: initial sample	Static PE information: section name: .text entropy: 7.71708373294
Source: initial sample	Static PE information: section name: .text entropy: 7.71708373294

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

File created: C:\Users\user\AppData\Roaming\bWuIYd.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\bWuIYd' /XML 'C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp'

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe TID: 6516	Thread sleep time: -44045s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe TID: 6560	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Thread delayed: delay time: 44045			Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\bWuIYd' /XML 'C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior
Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Process created: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe	Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Queries volume information: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_2021_98666_SIGNED - PRO FACTURA.exe.135d0338.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection11	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
doc_2021_98666_SIGNED - PRO FACTURA.exe	24%	Virustotal		Browse
doc_2021_98666_SIGNED - PRO FACTURA.exe	43%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot
doc_2021_98666_SIGNED - PRO FACTURA.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\bWuIYd.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\bWuIYd.exe	24%	Virustotal		Browse
C:\Users\user\AppData\Roaming\bWuIYd.exe	43%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
194.5.98.127	0%	Avira URL Cloud	safe
127.0.0.1	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
194.5.98.127	true	Avira URL Cloud: safe	unknown
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.667857482.0000000002F51000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458632
Start date:	03.08.2021
Start time:	15:55:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.9% (good quality ratio 3.3%) Quality average: 32.2% Quality standard deviation: 34%
HCA Information:	Successful, ratio: 82% Number of executed functions: 44 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:56:31	API Interceptor	2x Sleep call for process: doc_2021_98666_SIGNED - PRO FACTURA.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\doc_2021_98666_SIGNED - PRO FACTURA.exe.log Download File
Process:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1742
Entropy (8bit):	5.381353871108486
Encrypted:	false
SSDEEP:	48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
MD5:	978918F6120A43D1FA5899938A5A542F
SHA1:	6567A2E687B40BFD3A46246F51F4C89D93D89455
SHA-256:	F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC
SHA-512:	1DF2AF5A3F8212BF591AAA366FE96F167F3E6D43746E07B7CD44F1B2F06C63B1D290412891AD0B4D0A82D1DFD6EB2EB7D70981C35941F370DC97729E9205DD53
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp Download File
Process:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.176967825324459
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGktn:cbhK79lNQR/rydbz9I3YODOLNdq3N
MD5:	335DC9045368E50919C4D67D509F2923
SHA1:	DCBC293F1F440B13AF7E3771AF0F273E176ED4D6
SHA-256:	506CE973705FF1017DAF3E519B36BED172AFFBA6192741E50F9FD8826B7DBFB8
SHA-512:	8E80894560B11876FD0D606F0202C72FEC66AC745C5C1E32684BECC2B7D4834F8C99F7FBAFEACEAC648F26EFD5CFD2CE587407BCBE063E9AE3BE9EB72858CD5A
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\bWuIYd.exe Download File
Process:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1202688
Entropy (8bit):	7.712684433960131
Encrypted:	false
SSDEEP:	24576:qmlBdz3ITXWl+O/JR308rntdkcr2VGSsjv1StbqiXk:RlBdz3OXW/RkAny7sjv0oi
MD5:	532B5C7F4E3212A0D05E51C85864CAF6
SHA1:	9A46DD2C45B724E23A0E3D316EB7FBC16B144E19
SHA-256:	46510A62D266A7663F6CBE0A7FFBBBA5019A6C890512E5D050B667A8B44F6EA6
SHA-512:	55B368430E4B5FAA59CA892A15930B25DF9F571786CD21DBF87EE311B5DA033F24FD660E7750A51E3A92F3777E82F480C287C35C7FFC295B3A2EF7069B38E108
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 43%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a.........."...P..F..........Fe... ........@.. ....................................@..................................d..O.................................................................................... ............... ..H............text...LE... ...F.................. ..`.rsrc................H..............@..@.reloc...............X..............@..B................(e......H.......$...............V...............................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....o....(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+...0......

C:\Users\user\AppData\Roaming\bWuIYd.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.712684433960131
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
File size:	1202688
MD5:	532b5c7f4e3212a0d05e51c85864caf6
SHA1:	9a46dd2c45b724e23a0e3d316eb7fbc16b144e19
SHA256:	46510a62d266a7663f6cbe0a7ffbbba5019a6c890512e5d050b667a8b44f6ea6
SHA512:	55b368430e4b5faa59ca892a15930b25df9f571786cd21dbf87ee311b5da033f24fd660e7750a51e3a92f3777e82f480c287c35c7ffc295b3a2ef7069b38e108
SSDEEP:	24576:qmlBdz3ITXWl+O/JR308rntdkcr2VGSsjv1StbqiXk:RlBdz3OXW/RkAny7sjv0oi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.........."...P..F..........Fe... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x526546
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61088FEA [Tue Aug 3 00:38:02 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1264f4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x128000	0xfd4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12454c	0x124600	False	0.868892622381	data	7.71708373294	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x128000	0xfd4	0x1000	False	0.455322265625	data	5.68049715964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x128090	0x370	data
RT_MANIFEST	0x128410	0xbbe	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	UCOMITypeL.exe
FileVersion	1.0.0.0
CompanyName	flextronics
LegalTrademarks	flex
Comments	flex spare part room
ProductName	Spare Part
ProductVersion	1.0.0.0
FileDescription	Spare Part
OriginalFilename	UCOMITypeL.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512 Parent PID: 5840

General

Start time:	15:56:30
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe'
Imagebase:	0xa80000
File size:	1202688 bytes
MD5 hash:	532B5C7F4E3212A0D05E51C85864CAF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.668794104.00000000032EA000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.669660281.0000000012F61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6744 Parent PID: 6512

General

Start time:	15:56:34
Start date:	03/08/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\bWuIYd' /XML 'C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp'
Imagebase:	0x7ff6fe380000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6752 Parent PID: 6744

General

Start time:	15:56:34
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6788 Parent PID: 6512

General

Start time:	15:56:35
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Imagebase:	0xd50000
File size:	1202688 bytes
MD5 hash:	532B5C7F4E3212A0D05E51C85864CAF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6804 Parent PID: 6512

General

Start time:	15:56:35
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Imagebase:	0xc70000
File size:	1202688 bytes
MD5 hash:	532B5C7F4E3212A0D05E51C85864CAF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6820 Parent PID: 6512

General

Start time:	15:56:36
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Imagebase:	0xbf0000
File size:	1202688 bytes
MD5 hash:	532B5C7F4E3212A0D05E51C85864CAF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6836 Parent PID: 6512

General

Start time:	15:56:37
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Imagebase:	0xbb0000
File size:	1202688 bytes
MD5 hash:	532B5C7F4E3212A0D05E51C85864CAF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6848 Parent PID: 6512

General

Start time:	15:56:37
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Imagebase:	0x7c0000
File size:	1202688 bytes
MD5 hash:	532B5C7F4E3212A0D05E51C85864CAF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512 Parent PID: 5840 doc_2021_98666_SIGNED - PRO FACTURA.exeCOMMON

Executed Functions

Function 00007FFA35F910CD, Relevance: 2.4, Instructions: 2373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dd9dace2ef0ef403c1af3152f0a6aaa28bda65fa45b78303cf86f1392c2b22
Instruction ID: a2ae90e44d0a3bd3394102b27d31ec87c7081afc992ccc73c1141dca54a559e4
Opcode Fuzzy Hash: c5dd9dace2ef0ef403c1af3152f0a6aaa28bda65fa45b78303cf86f1392c2b22
Instruction Fuzzy Hash: A013867094891D8FEFA4EF58C899BA9B7F1FB69301F6085AAD40DD3255CA34AD81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F95054, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43878978d4635419ef51ad0c03223b1a03281d25eda2c430a7239c0dc0b2212f
Instruction ID: cb8110b2d49a696aff0d1c6f29900e77963283199bc3ddb5206fdbf326f60160
Opcode Fuzzy Hash: 43878978d4635419ef51ad0c03223b1a03281d25eda2c430a7239c0dc0b2212f
Instruction Fuzzy Hash: 65A15E74D08A1A8FEB68CB68C8816BDB7B2FF86700F10C179D40EA7295DE356981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F95EAB, Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

^_^, xrefs: 00007FFA35F95EB1

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID: ^_^
API String ID: 0-4237115300
Opcode ID: 0e8fd689cfee2a541e131fb6f777989fb91a5fe7384935c6dfeb008877c04c39
Instruction ID: 24ff1eeef09d325b7410c58c546ea10700a50e97d78c3dbb59bf2c50734aa7b9
Opcode Fuzzy Hash: 0e8fd689cfee2a541e131fb6f777989fb91a5fe7384935c6dfeb008877c04c39
Instruction Fuzzy Hash: 4951DF3690864A8FEB50EF7CA80A1FE7BE0EF45724F008077E54DC6092DE3465849BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F93609, Relevance: .7, Instructions: 686COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbadf6f052b3a83e3fd464ac819370f73810b2e75a78416c34658f0137cf2ff
Instruction ID: 2941e85febeed7dd61afcd238a37b295dbda6377a6145f84ca204fd86e0d22d5
Opcode Fuzzy Hash: 3fbadf6f052b3a83e3fd464ac819370f73810b2e75a78416c34658f0137cf2ff
Instruction Fuzzy Hash: A5612C74E08A5D8FDB55EBA8C8966EDBBF1FF5A700F0041BAD00DE7292CE3468458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F95DA2, Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f952fd12abf376d8691a7a1587fa0817e8560de560cbfabff535806b79a671
Instruction ID: 6ab2772434213933782224cce8a4a02a993fce0dbd852ef8a798a84b14dc09c0
Opcode Fuzzy Hash: 98f952fd12abf376d8691a7a1587fa0817e8560de560cbfabff535806b79a671
Instruction Fuzzy Hash: 1F121D27A0C6678EDB11B76CB8461FA7BD4DF42B35F048077D64DCE093EE19588982E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F949FC, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2935b295fae946a56ca13d7ec08a361292df422fe2778a8b4263f0edbb6f93
Instruction ID: b34f6244ffc3375760e2f23aebe0afa230cf987ffe3a2fa6345e973620424bd6
Opcode Fuzzy Hash: 0a2935b295fae946a56ca13d7ec08a361292df422fe2778a8b4263f0edbb6f93
Instruction Fuzzy Hash: 6EA1B87091891E8FDBA8EF58C895BADB7B1FF69700F5080B9D40EE3291DE356981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9999C, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e807d18398ff23ee275864248b03d8ffa2f80209fa90d30a4dff2c4bfdb05e
Instruction ID: 9795f57a9c4954ed16bac2ce549e7ff0624c7090bea9b8eb3466ac3d36f624f0
Opcode Fuzzy Hash: d5e807d18398ff23ee275864248b03d8ffa2f80209fa90d30a4dff2c4bfdb05e
Instruction Fuzzy Hash: 7081C17190DB898FDB46DBA8D865AE87FF0FF57300F0541EAC049DB2A3CA295846CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F953BF, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e156a8d62c3f5ba19723fdbedc328717f5da19be4f24369dc4ea87ce62e26f65
Instruction ID: d54fcb01b79f9e270e38c29631a44de32c888862edf181361cdf205a0a444941
Opcode Fuzzy Hash: e156a8d62c3f5ba19723fdbedc328717f5da19be4f24369dc4ea87ce62e26f65
Instruction Fuzzy Hash: A0815970D08A1A8FDB58DF98D4929FDB7B2EF5A711F108079C40EA7296CE356841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F98AAA, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7007999329009719778567a5dccba7eba3994052125710f470ee9026268ded2b
Instruction ID: 42647cee931964c0f3ff4b0e01953ac0cfa5ccd9207fc275a420609af5bf1794
Opcode Fuzzy Hash: 7007999329009719778567a5dccba7eba3994052125710f470ee9026268ded2b
Instruction Fuzzy Hash: 5021D06390DBC24FE317972C58551E47FA0EF63A51B0940B3D0CE8B093ED1A280987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9BB39, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1816868e398ee9e68b163340e00f0ded38a666cce359d28e14fd474e1f3041a6
Instruction ID: 7cae1ea1ad1bf3a7c55dc7e0845e46a515963083053092e3c08e7a4a50f7edbb
Opcode Fuzzy Hash: 1816868e398ee9e68b163340e00f0ded38a666cce359d28e14fd474e1f3041a6
Instruction Fuzzy Hash: 20617C7180E7C68FC7038B7488655A57FF0AF17210B0A84EBD489CF1E3D929A95AD772

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F93481, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff673272da6f45927e894eeb98858a96f378943b2fc71a493bd7fc2140c7630
Instruction ID: e68696a41b87fad41e258c6e21c71bbc64cc74705c9bd4d32d14faeaceddcb65
Opcode Fuzzy Hash: 5ff673272da6f45927e894eeb98858a96f378943b2fc71a493bd7fc2140c7630
Instruction Fuzzy Hash: 99519A70908A8E8FDB94EB9CC8996EDBBF0FF59301F0440B6D40DD7292DE35A8458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F94CAC, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d462b4b04f0812dba95e14c7ffd6254187dbecad65afe7f5bb835da64d31a045
Instruction ID: 93e53289374fa329ebfdfd4cdcfa564cddeec3da8c5d5fda1d9765050caf5f05
Opcode Fuzzy Hash: d462b4b04f0812dba95e14c7ffd6254187dbecad65afe7f5bb835da64d31a045
Instruction Fuzzy Hash: 3B412635D08A1A8FDBA9DF6888656FD7BB1BF6A710F00417ED40EE7281DE3568409B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9F5DB, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6221019d4ebc71ee101b898bf2a4336a812009421cbfdd3055fb7ec51c66a694
Instruction ID: 49aaea72d52d87281c0e27b8b93cd4c29db467bc6c462fb6a167304a5a91c8a3
Opcode Fuzzy Hash: 6221019d4ebc71ee101b898bf2a4336a812009421cbfdd3055fb7ec51c66a694
Instruction Fuzzy Hash: A041CE7180D7CA8FE757CB6888616A97FE0EF07300F1841EAC049CB193DE282959DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9511D, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37704602ce9f7220c00f85bcbb23baadff34035abb64173f6dc2ca24e8c66b5e
Instruction ID: 0bbe735b5c3751bfba3daa425d03bf093443f045aee1ed35ee8635e3ab2ed967
Opcode Fuzzy Hash: 37704602ce9f7220c00f85bcbb23baadff34035abb64173f6dc2ca24e8c66b5e
Instruction Fuzzy Hash: 21510774D0861A8FEB68DBA8D891BBDB7B1FF99700F208179D40DA3246CE356981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9FBC6, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2725047650eca1c24b332b62be425035a92297ccf702d3771b9266eeb8473b
Instruction ID: d15c3e9205a3a0a9caea27a6ef2713db24c135dfcf061f0275db70651b9b42bf
Opcode Fuzzy Hash: 0f2725047650eca1c24b332b62be425035a92297ccf702d3771b9266eeb8473b
Instruction Fuzzy Hash: 64413E70D1891E8FD796EF18C85A6A8B7E1FF49700F5081F9D00EE7296DE356981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F98C21, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3236dc9e45d653148a42cc6599b3143616377bdbcc1ad83b3e7f9c7a7fa83fc
Instruction ID: bb70106ee90f1a0085a43423273f6fc1c890063e9869bbba1b92f65b57a4ad9a
Opcode Fuzzy Hash: c3236dc9e45d653148a42cc6599b3143616377bdbcc1ad83b3e7f9c7a7fa83fc
Instruction Fuzzy Hash: 39315B71D18A5A8FE7A5DB58C8557A9B7E1FF59300F0081BAD00ED3292DE3859858B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9DCF8, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc42e899b39c020221a60b13bbb79d9446e2d82f3666c473d24c27ca70293249
Instruction ID: ecd16457658ce27ae70357c36019609d254ae370ce71325d8a077435b19356c1
Opcode Fuzzy Hash: dc42e899b39c020221a60b13bbb79d9446e2d82f3666c473d24c27ca70293249
Instruction Fuzzy Hash: 7531E77181878A8FCB45DF68C8559E97BF0FF06710F0501BBE849D7192DA3DA885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9A79A, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13ddab5247655318d9aa29f6bec844e37ace5144ba9761e5b63740c33b76cc3
Instruction ID: eb78cce3a8a6545862d936b30b2838e2270bef00e4c47e7d13f286524efcd972
Opcode Fuzzy Hash: f13ddab5247655318d9aa29f6bec844e37ace5144ba9761e5b63740c33b76cc3
Instruction Fuzzy Hash: DB31C570D0868A8FDB45DF58C8419EABBF1FF9A310F1482BAD849D7152DB399846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F943D8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226a19513f8d2372c1597d85469674b3b80d109656f223103a4415231f352907
Instruction ID: 6f7026053982045d440511f92bab5c6f47c49a1a0a57011ad0caed4fe377c64a
Opcode Fuzzy Hash: 226a19513f8d2372c1597d85469674b3b80d109656f223103a4415231f352907
Instruction Fuzzy Hash: 2B312BB4D08A8A8FDF09DFA8D4655FEBBB0BF16704F04407ED81AA6281DF351944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F94410, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76cd8a5435162dfd07438bfd2f53e4083e5f0796a4f7078530799407fa395a7
Instruction ID: 1af38fedf690ec1accad851d4fdc6806688bea972082cf005e4383abac9360d9
Opcode Fuzzy Hash: a76cd8a5435162dfd07438bfd2f53e4083e5f0796a4f7078530799407fa395a7
Instruction Fuzzy Hash: C631B4B4D08A4A8FDF48CF98D4585FEBBB1BF59700F10446ED81AA3280DF346A50CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F94110, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355e6159515fb56dcd2440e90a98ee86a3d33790deda65e784e29c8274a56ae0
Instruction ID: b703d93af4158d6d76e0d0ac1e80659703913d3284e99473426a920ef56e0995
Opcode Fuzzy Hash: 355e6159515fb56dcd2440e90a98ee86a3d33790deda65e784e29c8274a56ae0
Instruction Fuzzy Hash: 06312930A18A0E8FDB58EF58D8556EA77F1FB69705F00427AE40ED7290CE36A951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9DC64, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45ef2d5eb8b93a08d5ca435a3edc869120db28a9179ea481e71641890ae7511
Instruction ID: 2f6de60f1c2d528908864a1c0ed3389fcfa5bd21a8fd6dae9447d71caef00821
Opcode Fuzzy Hash: a45ef2d5eb8b93a08d5ca435a3edc869120db28a9179ea481e71641890ae7511
Instruction Fuzzy Hash: 61216B70918A0E8FDB44DF48C4819FEB7E0EF59741F51413AE84EE3291CE39E4818BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9AE60, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dbd546d496af10dacecd148aa6d49a284d8bc7e2af2c847ff6280345b0937d6
Instruction ID: 208f58abeebddfb45d40a1c69d423f23cee3fbc5f4ee20e86bf3edea60314424
Opcode Fuzzy Hash: 1dbd546d496af10dacecd148aa6d49a284d8bc7e2af2c847ff6280345b0937d6
Instruction Fuzzy Hash: A021AD30908B8D8FDB55DF68C8556EA7BF1EF5A310F0442AAE44DD7291CE39A945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F99A60, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941b457871bb2c7de5ee286fd0b022c0a19235c674035cc72f165e3cacac8818
Instruction ID: caeaec733a72a708251474458d6e718aa73c2a18611b671b21524dae5aa4e103
Opcode Fuzzy Hash: 941b457871bb2c7de5ee286fd0b022c0a19235c674035cc72f165e3cacac8818
Instruction Fuzzy Hash: 53216974D18A4D8FEB58DF98D894AEDBBF1FB59304F00412ED00AE7295CE35A940CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9AE1D, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb33cde33d4dafc828f4c95124ed811624abdd87f9070ad0c72740e9366636e
Instruction ID: 3339f72e55802c73a02fe6c6bd70ae1cfb19ae000d71637b3d03bbad6cf6eb9f
Opcode Fuzzy Hash: eeb33cde33d4dafc828f4c95124ed811624abdd87f9070ad0c72740e9366636e
Instruction Fuzzy Hash: 8B215E70D18A0E8FDB54DF58C8546EE77F1EF69701F10427AD84EA7294DE39A940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F941A8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d116259f76179779d42823c6c9fa2285a0f14e4783727f5f5aad982ae8509fc4
Instruction ID: b7d2c2ce346aa59c403d69b6cb59dd0a29b752c1ae72360c9763e9a647d1601e
Opcode Fuzzy Hash: d116259f76179779d42823c6c9fa2285a0f14e4783727f5f5aad982ae8509fc4
Instruction Fuzzy Hash: 74215B71914A4E8FDB44EF58C8429FE77E0EF49744F41417AE84AE3281CE34E8908BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F95F0D, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba1f199420ca920cbf456b131342cc561f54197c05e928053cc68affb851ed5
Instruction ID: c373041dffd01fcba3559e17565686ff712bc5cd81b88cf39d71177e3db3a3e8
Opcode Fuzzy Hash: 1ba1f199420ca920cbf456b131342cc561f54197c05e928053cc68affb851ed5
Instruction Fuzzy Hash: B721AB25C0C55B8EEB65BBACA8071FE77D45F02B38F008476D95D890D3DF29388492A5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F90FD9, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466f1efce2355e4bc180157f094a63bea212ee281473754fe03d6491caeb9de3
Instruction ID: ef15af63a534fe93e0cc61cd88fb2e621ee50f4e698bd1f94b3991204ca4768d
Opcode Fuzzy Hash: 466f1efce2355e4bc180157f094a63bea212ee281473754fe03d6491caeb9de3
Instruction Fuzzy Hash: 5D11CE6189D6C65FE31757305C169E23FA4AF03615B0981F7E09DCA4E3CC1E269AC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9D18A, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90510f65299a58be0425c67a961a1097f2627b21827bdc46b874b910e6a61b0
Instruction ID: e5b0bcffb24ba3006ec134f3984c6e487871a311c557d06cbeb61c47febb752b
Opcode Fuzzy Hash: b90510f65299a58be0425c67a961a1097f2627b21827bdc46b874b910e6a61b0
Instruction Fuzzy Hash: F4218E71914A4E8FDB44EF58C4469FEB7E0FF58704F004176E809D3241CE34A8948BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F941A0, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1031ae0e64ad79d697e3dff018483bc3a9f36c1fc187e0054bf5c76e42c935
Instruction ID: aab1d0930c33a4f0ba59a869cf0ba7bcb45bf5f8ef9908ca563a5259144bee78
Opcode Fuzzy Hash: 9c1031ae0e64ad79d697e3dff018483bc3a9f36c1fc187e0054bf5c76e42c935
Instruction Fuzzy Hash: 4B114A31914A1E8FDB44EF18C4469EAB7E1FF59744F11427AE80AE3255CA34A8948BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F99B6A, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade4c46846f429996e94d02190bfc60cb5bef2575ff6af2f82293c8701d8072a
Instruction ID: db1b41964bae2c82885e886d7e973ce52776e6948030cacdcb32c0dabe60f3fc
Opcode Fuzzy Hash: ade4c46846f429996e94d02190bfc60cb5bef2575ff6af2f82293c8701d8072a
Instruction Fuzzy Hash: 7F210770A14A0D8FCB48DF98D895AADB7F1FB59301F11416ED00AEB795CE34A940CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9C495, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fb9ed0599954f4b3aff4df6df46f7e1016ad484828f30f7334bf9ef7c2fc78
Instruction ID: 50a6c76fda44c4788c145081356a3c274b39e8d16ede635592e3dae892dcc26e
Opcode Fuzzy Hash: 27fb9ed0599954f4b3aff4df6df46f7e1016ad484828f30f7334bf9ef7c2fc78
Instruction Fuzzy Hash: DF215C70A04A0E8FCB48CF5CC8859AEF7F1FB99710B14862AD41AE7255CF34E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F948F9, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbcb1d9134b2896f9efca57fe0b653ae5d82788ef2eb34c4a8878a6dc842cd9
Instruction ID: c93419128f23f4ee8c40ad78e9c614f08dbbb0ce3046cadb662871ca74cbff74
Opcode Fuzzy Hash: 7fbcb1d9134b2896f9efca57fe0b653ae5d82788ef2eb34c4a8878a6dc842cd9
Instruction Fuzzy Hash: E901C0308986CA4FDB529F2898469E53FA0FF5A714F064276E84DC3092CA2DA956C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F94108, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150cad58b0c0b5c1832f072d3ddf99f08b742f627c76b3289c7d2ec183b61ad7
Instruction ID: ecacd6d889b6d30a9eb69e3c661e25c4edb4fd93cc31249ca7aeaf74b014d598
Opcode Fuzzy Hash: 150cad58b0c0b5c1832f072d3ddf99f08b742f627c76b3289c7d2ec183b61ad7
Instruction Fuzzy Hash: 0B214D70808A4E8FDB54EF58C4446ED77F1FF59B04F604179E01EE3294CE36A9519BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9046D, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8566ad3dc30903e2eda7e9d0c5968a1717084be94b86d6513623be40a703ee9
Instruction ID: 703f07f0a81ab0695c04b34d2dd7e38bf42636b1e47b41072f39f75fc5680cbf
Opcode Fuzzy Hash: c8566ad3dc30903e2eda7e9d0c5968a1717084be94b86d6513623be40a703ee9
Instruction Fuzzy Hash: 61015E70C19A1A9FDB90EF6888055FE76B4EF06300F40483AE04DE2182DF396900DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9FDA1, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d744f74bf8afa521bbdc054e6749a2f0bf37d3b57d768e986849c3998fb270b
Instruction ID: e66e791f0272dc65297136acb079e3a6e2e2b1a380d498c78dac6429eb802337
Opcode Fuzzy Hash: 3d744f74bf8afa521bbdc054e6749a2f0bf37d3b57d768e986849c3998fb270b
Instruction Fuzzy Hash: 62119470D14A5A8FE75AEBACC45A5B8BBF1FF55700B50407EC00ED7296CE356801DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F907E9, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c0347687dfa12a881969b858c35d8dabeb43324f76f17c2b8043b4778f9d52
Instruction ID: e856975fd6c5d100cfdc05b155efc9f69781fbf2d390e4949d5ab4961b008aef
Opcode Fuzzy Hash: 46c0347687dfa12a881969b858c35d8dabeb43324f76f17c2b8043b4778f9d52
Instruction Fuzzy Hash: AC01923494868A4FE764EF249C452EA77A1EF86300F458876E81DC3183DE7AA9158751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F93CE9, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7a4e1e5791b9cbbd27fac890f98441271e768472067dc43125407cb2d7d7a0
Instruction ID: bac615f9dad88e6e452f2ecf0d2dac6e3e1270dc371102f3653be8c9bf89ca0e
Opcode Fuzzy Hash: 1f7a4e1e5791b9cbbd27fac890f98441271e768472067dc43125407cb2d7d7a0
Instruction Fuzzy Hash: 3D11A331D1898E5FE785DB689C122ED7BF1EF46300F4141B5D20ED71D2CE2929148761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F93411, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd236ad86b17f3de1f6956eb8503333fc4f1713ee43d178caac05435b2dd648c
Instruction ID: 4fea2404d4903644d43a7d8e0df19eeacd7fd1377368a7a55bcd403bbbd257df
Opcode Fuzzy Hash: dd236ad86b17f3de1f6956eb8503333fc4f1713ee43d178caac05435b2dd648c
Instruction Fuzzy Hash: 6E01F670C18A4E8FDB91EF68C8496EE7BE0FF29305F414576E41DD2191EB38A690CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F98D19, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327bd7da0e799358abac147d800ad7d79d2e42242dca6b89f79731c52d1bc3db
Instruction ID: e16dc908f96bb95fb4c8926cf5c39a38a72439e919e3428a9685089f379dbc5b
Opcode Fuzzy Hash: 327bd7da0e799358abac147d800ad7d79d2e42242dca6b89f79731c52d1bc3db
Instruction Fuzzy Hash: AC012D70E046198FDBA8CB58C880AADB7B2FB98750F10C16AC01EE7254DE305986CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9AC37, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dccad4209c62dfee0ab07c20d4e59ac1edf9748db613e310918a25a3354cba5
Instruction ID: 8c9a1e6b3150829d167e4ef574de9a9abae685233981e5a22bfda822dfd3bc8d
Opcode Fuzzy Hash: 9dccad4209c62dfee0ab07c20d4e59ac1edf9748db613e310918a25a3354cba5
Instruction Fuzzy Hash: F501FB34E0460A8FCB08DF54C5919EDB7B2FB49311B24426DC406A7380CF3A6941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9B327, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e16cd845c26744a2a43662d69a6da5d54c05d598b580da6a8a079dabc92305
Instruction ID: 25f252810b9b4f08b3c5902ef76a0cb98b4926ebc845d4b67a1f484472dcd554
Opcode Fuzzy Hash: 81e16cd845c26744a2a43662d69a6da5d54c05d598b580da6a8a079dabc92305
Instruction Fuzzy Hash: 03F01D3081890B8FCB58EF18C4958AAB361FF51711B508769C51E9B58ACE35A841CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F91067, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bf255e7aac64cf8cd6e22fcad723e1ce0aec4cc2c4cfb9c492c9bc1bfe796b
Instruction ID: 0522180a13b446d718cb50e90fdedb6c4aa612c636cb878d70b6210ec85201e7
Opcode Fuzzy Hash: 97bf255e7aac64cf8cd6e22fcad723e1ce0aec4cc2c4cfb9c492c9bc1bfe796b
Instruction Fuzzy Hash: 92E06D3090898E4FEB44EF18E8815E9B7A0EF46300F4085B6E41DC3196CE316911C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F9FE86, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c43de1404d4ecfca8384c2a78a7cc1c683835bd038451e37c6cbb39b853a1c
Instruction ID: 38320076351159e8a69a8192d54e72f60b900481754e9c9a38dccd351dc0e521
Opcode Fuzzy Hash: 99c43de1404d4ecfca8384c2a78a7cc1c683835bd038451e37c6cbb39b853a1c
Instruction Fuzzy Hash: A3E08671D18A5F4ED799DB5848125ACAAB1BF49B00F44C2BDC01EA7197CF351A025F50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA35F986A2, Relevance: 11.4, Strings: 9, Instructions: 114COMMON

Download Yara Rule

Strings

^_^, xrefs: 00007FFA35F9872A
^_^x, xrefs: 00007FFA35F9871A
^_^b, xrefs: 00007FFA35F986C2
^_^h, xrefs: 00007FFA35F986DA
^_^, xrefs: 00007FFA35F98772
^_^f, xrefs: 00007FFA35F986D2
^_^v, xrefs: 00007FFA35F98712
^_^\, xrefs: 00007FFA35F986AA
^_^Z, xrefs: 00007FFA35F986A2

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID: ^_^$^_^$^_^Z$^_^\$^_^b$^_^f$^_^h$^_^v$^_^x
API String ID: 0-846494378
Opcode ID: a72727a43449549086b4587d98512422337c8ccd0dce8ad01cae002d5da02a26
Instruction ID: b5dc16e5ef01db0a1a551e3f146552a95ff8071804c7ca9b9fccbb422bc19d6d
Opcode Fuzzy Hash: a72727a43449549086b4587d98512422337c8ccd0dce8ad01cae002d5da02a26
Instruction Fuzzy Hash: 8031059BA0D2124FE61467AD6CE22E53B85DF81B3AB0940B3C7CD9F143FD162C4A42E5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F989AA, Relevance: 6.4, Strings: 5, Instructions: 147COMMON

Download Yara Rule

Strings

^_^, xrefs: 00007FFA35F98A1A
^_^, xrefs: 00007FFA35F98A2A
^_^, xrefs: 00007FFA35F989DA
^_^, xrefs: 00007FFA35F989AA
^_^, xrefs: 00007FFA35F98979

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID: ^_^$^_^$^_^$^_^$^_^
API String ID: 0-345336114
Opcode ID: 202551729111ff42fc631b4d9cc2971fd003df70a3c7e539ec16e457b08e370c
Instruction ID: ab6be749fa505a64b1e7ccdb9ff7967d2009370804f0c305827da3f261f86e30
Opcode Fuzzy Hash: 202551729111ff42fc631b4d9cc2971fd003df70a3c7e539ec16e457b08e370c
Instruction Fuzzy Hash: 2B5182A390DBC35FF755875C48AA1A07FA0FF22B55B0941FAC5CE47083ED1B2C0696A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F90A41, Relevance: 5.3, Strings: 4, Instructions: 305COMMON

Download Yara Rule

Strings

xI5, xrefs: 00007FFA35F90C4D
xI5, xrefs: 00007FFA35F90B10
xI5, xrefs: 00007FFA35F90C71
xI5, xrefs: 00007FFA35F90AE5

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID: xI5$xI5$xI5$xI5
API String ID: 0-1905645801
Opcode ID: e67aee5a137982309c4c9a7acdc9f1a1bd2d3e88cab7a291e3d9b180e29b63df
Instruction ID: d470babca8c49cfafd9056c5675fdbfb3acbbc7b8c2c7eede01e2dc63fb882bb
Opcode Fuzzy Hash: e67aee5a137982309c4c9a7acdc9f1a1bd2d3e88cab7a291e3d9b180e29b63df
Instruction Fuzzy Hash: E1B10974908A5E8FDBA8EB58C8957E8B7F1EF5A701F1440BAD00DD7292CE356981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35F985A2, Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

^_^8, xrefs: 00007FFA35F9861A
^_^(, xrefs: 00007FFA35F985D2
^_^), xrefs: 00007FFA35F985DA
^_^:, xrefs: 00007FFA35F98622

Memory Dump Source

Source File: 00000000.00000002.674974988.00007FFA35F90000.00000040.00000001.sdmp, Offset: 00007FFA35F90000, based on PE: false

Similarity

API ID:
String ID: ^_^($^_^)$^_^8$^_^:
API String ID: 0-2224914876
Opcode ID: 234ce9f0882ca55a7a92ba787c9f4805ea7874e574f6dc3aaafaf1a4de514d8f
Instruction ID: c5d1623f9b08225af36b7c8aa16487150ec72df1deb5a043450278ce6980e55f
Opcode Fuzzy Hash: 234ce9f0882ca55a7a92ba787c9f4805ea7874e574f6dc3aaafaf1a4de514d8f
Instruction Fuzzy Hash: 9C21AF1B90C12289D6247B7DBC831E62788CF45B75F404877DACE5E0B3AA043CDA81C9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report doc_2021_98666_SIGNED - PRO FACTURA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: doc_2021_98666_SIGNED - PRO FACTURA.exe PID: 6512 Parent PID: 5840