Windows Analysis Report P0 (2021)-2790 new order.exe

AV Detection:

Found malware configuration

Source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6e073bd7-7c11-48c2-8a90-355dddea", "Group": "Default", "Domain1": "185.140.53.8", "Domain2": "", "Port": 8907, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "185.140.53.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Source: 185.140.53.8

Virustotal: Detection: 11%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.MSBuild.exe.5cc0000.6.unpack	Avira: Label: TR/NanoCore.fadte
Source: 2.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: P0 (2021)-2790 new order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: P0 (2021)-2790 new order.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbind source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: indows\MSBuild.pdbpdbild.p source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: P0 (2021)-2790 new order.exe, 00000000.00000003.219629284.0000000002860000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: P0 (2021)-2790 new order.exe, 00000000.00000003.219629284.0000000002860000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb\W44FX source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbSy source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb F source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.2.dr
Source:	Binary string: System.pdb source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdbse source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49775 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49779 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49786 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49787 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49788 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49789 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49790 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49795 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49796 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49797 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49798 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49799 -> 185.140.53.8:8907

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 185.140.53.8

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.140.53.8 185.140.53.8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49735 -> 185.140.53.8:8907

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49679

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8

Contains functionality to download additional files from the internet

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 2_2_052E2E76 WSARecv,

2_2_052E2E76

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: dhcpmon.exe, 0000000C.00000002.233523050.0000000000798000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: MSBuild.exe, 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.30812fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.MSBuild.exe.5a20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: P0 (2021)-2790 new order.exe

Uses 32bit PE files

Source: P0 (2021)-2790 new order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.30812fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.30812fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.MSBuild.exe.5a20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.5a20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3340B		0_2_00A3340B
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A42C51		0_2_00A42C51
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A431C3		0_2_00A431C3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A47134		0_2_00A47134
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3C11C		0_2_00A3C11C
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3D292		0_2_00A3D292
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A426E6		0_2_00A426E6
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A45AC9		0_2_00A45AC9
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A43EDF		0_2_00A43EDF
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3CA28		0_2_00A3CA28
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A45207		0_2_00A45207
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3C610		0_2_00A3C610
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3B26B		0_2_00A3B26B
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3CE5D		0_2_00A3CE5D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D7ABE		2_2_012D7ABE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CDB2A8		2_2_02CDB2A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD2FA8		2_2_02CD2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD23A0		2_2_02CD23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD3850		2_2_02CD3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD89D8		2_2_02CD89D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD969F		2_2_02CD969F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD306F		2_2_02CD306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD95D8		2_2_02CD95D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05781DF8		10_2_05781DF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05780708		10_2_05780708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00046D08		12_2_00046D08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00046950		12_2_00046950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0004692F		12_2_0004692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_047E0708		12_2_047E0708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F6692F		15_2_00F6692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F66950		15_2_00F66950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F66D08		15_2_00F66D08

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E180A NtQuerySystemInformation,		2_2_052E180A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E17E8 NtQuerySystemInformation,		2_2_052E17E8

Sample file is different than original file name gathered from version info

Source: P0 (2021)-2790 new order.exe, 00000000.00000003.218277543.0000000002976000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs P0 (2021)-2790 new order.exe

PE file contains strange resources

Source: dhcpmon.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file has an executable .text section and no other executable section

Source: P0 (2021)-2790 new order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8052.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8052.tmp'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E149A AdjustTokenPrivileges,		2_2_052E149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E1463 AdjustTokenPrivileges,		2_2_052E1463

Creates files inside the user directory

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Creates temporary files

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7C69.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/11@0/1

Contains functionality to register a service control handler (likely the sample is a service DLL)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A31450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00A31450

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A31450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00A31450

Creates mutexes

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6e073bd7-7c11-48c2-8a90-355dddea56c0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01

Creates files inside the program directory

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Binary contains paths to development resources

Source: dhcpmon.exe, 0000000C.00000002.233299826.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.243062538.0000000000F62000.00000002.00020000.sdmp, dhcpmon.exe.2.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: dhcpmon.exe, 0000000C.00000002.233299826.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.243062538.0000000000F62000.00000002.00020000.sdmp, dhcpmon.exe.2.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
Source: dhcpmon.exe, 0000000C.00000002.233299826.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.243062538.0000000000F62000.00000002.00020000.sdmp, dhcpmon.exe.2.dr	Binary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
Source: dhcpmon.exe	Binary or memory string: *.sln
Source: dhcpmon.exe, 0000000F.00000002.247479470.0000000003671000.00000004.00000001.sdmp	Binary or memory string: q*)C:\Program Files (x86)\DHCP Monitor\*.sln

.NET source code contains calls to encryption/decryption functions

Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: P0 (2021)-2790 new order.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: P0 (2021)-2790 new order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbind source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: indows\MSBuild.pdbpdbild.p source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: P0 (2021)-2790 new order.exe, 00000000.00000003.219629284.0000000002860000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: P0 (2021)-2790 new order.exe, 00000000.00000003.219629284.0000000002860000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb\W44FX source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbSy source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb F source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.2.dr
Source:	Binary string: System.pdb source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdbse source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp

PE file contains a valid data directory to section mapping

Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A34055 push ecx; ret		0_2_00A34068
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D74AC push ecx; ret		2_2_012D74AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D74B8 push ebp; ret		2_2_012D74B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D769D push es; ret		2_2_012D76A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D9D78 pushad ; retf		2_2_012D9D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D9D74 push eax; retf		2_2_012D9D75

.NET source code contains many randomly named methods

Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs

High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs

High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'

Contains functionality to start windows services

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A31450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00A31450

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | delete

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A3340B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A3340B

Disables application error messsages (SetErrorMode)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6772	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6768	Thread sleep time: -200000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6940	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7088	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Window / User API: foregroundWindowGot 897

Jump to behavior

Queries a list of all running processes

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to query system information

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 2_2_052E11C2 GetSystemInfo,

2_2_052E11C2

Contains medium sleeps (>= 30s)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A398C4 IsDebuggerPresent,

0_2_00A398C4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A36BA5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00A36BA5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A310B0 ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapFree,

0_2_00A310B0

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A348D3 SetUnhandledExceptionFilter,		0_2_00A348D3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A34904 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00A34904

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8052.tmp'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: MSBuild.exe, 00000002.00000002.484445758.00000000032D9000.00000004.00000001.sdmp	Binary or memory string: Program Manager(
Source: MSBuild.exe, 00000002.00000002.484415620.00000000032C5000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000002.00000002.481714159.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000002.00000002.481714159.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000002.00000002.481714159.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,		0_2_00A3FCB8
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		0_2_00A390CA
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,		0_2_00A3BC67
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,		0_2_00A35DAE
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_00A3FDE2
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		0_2_00A3F9C3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: EnumSystemLocalesW,		0_2_00A3F967
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,		0_2_00A3FE8F
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: EnumSystemLocalesW,		0_2_00A3928D
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,		0_2_00A3F6F3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,		0_2_00A3FAC3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		0_2_00A38239
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		0_2_00A3FA40
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,		0_2_00A377BF
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,		0_2_00A37BFF
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: GetLocaleInfoW,		0_2_00A39313
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,		0_2_00A3FF63

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A39BEE cpuid

0_2_00A39BEE

Queries the cryptographic machine GUID

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A33ECC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A33ECC

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: P0 (2021)-2790 new order.exe, 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000002.00000002.482557844.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E292E bind,		2_2_052E292E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E28FB bind,		2_2_052E28FB