Windows Analysis Report PO-INV 21460041492040401.PDF.exe

Overview

General Information

Sample Name: PO-INV 21460041492040401.PDF.exe
Analysis ID: 483625
MD5: 8e23941e7d2bd97f91b83aa52ce9d2ee
SHA1: afd72705c4b572aa33e7e14938b25e02160f8964
SHA256: 3c3a536252b1c720434579c37748f0ba4178e7eedea1d841aa05e772118185b7
Tags: exenanocore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: PO-INV 21460041492040401.PDF.exe Virustotal: Detection: 30% Perma Link
Source: PO-INV 21460041492040401.PDF.exe ReversingLabs: Detection: 20%
Antivirus / Scanner detection for submitted sample
Source: PO-INV 21460041492040401.PDF.exe Avira: detected
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f5053c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5870000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5874629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f5053c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f54b65.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5870000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512833462.0000000002F01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.508601961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.517482154.0000000005870000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361849157.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.516134110.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO-INV 21460041492040401.PDF.exe PID: 6016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORYSTR
Machine Learning detection for sample
Source: PO-INV 21460041492040401.PDF.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.RegAsm.exe.5870000.9.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Uses 32bit PE files
Source: PO-INV 21460041492040401.PDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.5:49728 version: TLS 1.0
Source: PO-INV 21460041492040401.PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: RegAsm.pdb source: dhcpmon.exe, RegAsm.exe.0.dr
Source: Binary string: RegAsm.pdb4 source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.362432506.0000000005DD6000.00000004.00000001.sdmp, RegAsm.exe, 00000010.00000000.344213841.0000000000B52000.00000002.00020000.sdmp, RegAsm.exe, 00000015.00000002.367637445.00000000008D2000.00000002.00020000.sdmp, dhcpmon.exe, 00000017.00000002.368093939.0000000000422000.00000002.00020000.sdmp, dhcpmon.exe, 0000001B.00000002.385134850.0000000000122000.00000002.00020000.sdmp, RegAsm.exe.0.dr

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.5:49728 version: TLS 1.0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49765 -> 79.134.225.7:6009
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.7
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.352945744.0000000000A47000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.363730356.00000000064B0000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000003.250914381.00000000064B0000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/gz
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.353787988.00000000027B1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO-INV 21460041492040401.PDF.exe String found in binary or memory: http://tempuri.org/PendingProList.xsd
Source: PO-INV 21460041492040401.PDF.exe String found in binary or memory: http://tempuri.org/ProductDataSet.xsd
Source: PO-INV 21460041492040401.PDF.exe String found in binary or memory: http://tempuri.org/ProductDataSet1.xsd
Source: PO-INV 21460041492040401.PDF.exe String found in binary or memory: http://tempuri.org/ProductDataSet1.xsd#CustomerDataTableuThe
Source: PO-INV 21460041492040401.PDF.exe String found in binary or memory: http://tempuri.org/login2DataSet.xsd
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.353787988.00000000027B1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: PO-INV 21460041492040401.PDF.exe String found in binary or memory: https://www.google.com/
Source: unknown DNS traffic detected: queries for: www.google.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.352842268.00000000009CB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: RegAsm.exe, 00000010.00000002.516134110.0000000003F09000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f5053c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5870000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5874629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f5053c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f54b65.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5870000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512833462.0000000002F01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.508601961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.517482154.0000000005870000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361849157.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.516134110.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO-INV 21460041492040401.PDF.exe PID: 6016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 16.2.RegAsm.exe.57b0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.RegAsm.exe.3f5053c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.RegAsm.exe.5870000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.RegAsm.exe.5874629.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.RegAsm.exe.3f5053c.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.RegAsm.exe.3f54b65.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.RegAsm.exe.5870000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.RegAsm.exe.2f2d988.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.517406804.00000000057B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.508601961.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.508601961.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.517482154.0000000005870000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.361849157.0000000003992000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.361849157.0000000003992000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.516134110.0000000003F09000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PO-INV 21460041492040401.PDF.exe PID: 6016, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO-INV 21460041492040401.PDF.exe PID: 6016, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO-INV 21460041492040401.PDF.exe
Uses 32bit PE files
Source: PO-INV 21460041492040401.PDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 16.2.RegAsm.exe.57b0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.57b0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.RegAsm.exe.3f5053c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.3f5053c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.RegAsm.exe.5870000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.5870000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RegAsm.exe.5874629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.5874629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RegAsm.exe.3f5053c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.3f5053c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.RegAsm.exe.3f54b65.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.3f54b65.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RegAsm.exe.5870000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.5870000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.RegAsm.exe.2f2d988.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.2f2d988.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.517406804.00000000057B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.517406804.00000000057B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.508601961.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.508601961.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.517482154.0000000005870000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.517482154.0000000005870000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.361849157.0000000003992000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.361849157.0000000003992000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.516134110.0000000003F09000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PO-INV 21460041492040401.PDF.exe PID: 6016, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PO-INV 21460041492040401.PDF.exe PID: 6016, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Code function: 0_2_00E076E5 0_2_00E076E5
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 16_2_00B53DFE 16_2_00B53DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 16_2_02D0E480 16_2_02D0E480
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 16_2_02D0E471 16_2_02D0E471
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 16_2_02D0BBD4 16_2_02D0BBD4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 21_2_008D3DFE 21_2_008D3DFE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 23_2_00423DFE 23_2_00423DFE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 27_2_00123DFE 27_2_00123DFE
Sample file is different than original file name gathered from version info
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.365230658.0000000006D20000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameRunPe6.dll" vs PO-INV 21460041492040401.PDF.exe
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.352842268.00000000009CB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO-INV 21460041492040401.PDF.exe
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.352122070.00000000003FC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMyProject2.exe6 vs PO-INV 21460041492040401.PDF.exe
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO-INV 21460041492040401.PDF.exe
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.362432506.0000000005DD6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRegAsm.exeT vs PO-INV 21460041492040401.PDF.exe
Source: PO-INV 21460041492040401.PDF.exe Binary or memory string: OriginalFilenameMyProject2.exe6 vs PO-INV 21460041492040401.PDF.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: PO-INV 21460041492040401.PDF.exe Virustotal: Detection: 30%
Source: PO-INV 21460041492040401.PDF.exe ReversingLabs: Detection: 20%
Source: PO-INV 21460041492040401.PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe 'C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe'
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD621.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpDAD5.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD621.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpDAD5.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-INV 21460041492040401.PDF.exe.log Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/12@1/2
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{4f6ffb6f-c01b-4232-a80a-431f4e63ed7c}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: PO-INV 21460041492040401.PDF.exe String found in binary or memory: Show AccountsAAddAdminAccountToolStripMenuItem#Add Admin AccountIAddOrModifyCustomerToolStripMenuItem-Add Or Modify Customer5InventoryToolStripMenuItem
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO-INV 21460041492040401.PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO-INV 21460041492040401.PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: RegAsm.pdb source: dhcpmon.exe, RegAsm.exe.0.dr
Source: Binary string: RegAsm.pdb4 source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.362432506.0000000005DD6000.00000004.00000001.sdmp, RegAsm.exe, 00000010.00000000.344213841.0000000000B52000.00000002.00020000.sdmp, RegAsm.exe, 00000015.00000002.367637445.00000000008D2000.00000002.00020000.sdmp, dhcpmon.exe, 00000017.00000002.368093939.0000000000422000.00000002.00020000.sdmp, dhcpmon.exe, 0000001B.00000002.385134850.0000000000122000.00000002.00020000.sdmp, RegAsm.exe.0.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: PO-INV 21460041492040401.PDF.exe, Tz90/t6B9.cs .Net Code: Ri98 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.PO-INV 21460041492040401.PDF.exe.310000.0.unpack, Tz90/t6B9.cs .Net Code: Ri98 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Code function: 0_2_00312316 push esi; retf 0_2_00312317
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Code function: 0_2_003122E2 push eax; iretd 0_2_003122E3
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Code function: 0_2_003121DB push esp; iretd 0_2_003121EC
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 16_2_00B544A3 push es; retf 16_2_00B544A4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 16_2_00B54469 push cs; retf 16_2_00B5449E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 16_2_00B54289 push es; retf 16_2_00B54294
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 21_2_008D4289 push es; retf 21_2_008D4294
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 21_2_008D4469 push cs; retf 21_2_008D449E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 21_2_008D44A3 push es; retf 21_2_008D44A4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 23_2_00424289 push es; retf 23_2_00424294
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 23_2_004244A3 push es; retf 23_2_004244A4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 23_2_00424469 push cs; retf 23_2_0042449E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 27_2_00124289 push es; retf 27_2_00124294
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 27_2_001244A3 push es; retf 27_2_001244A4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 27_2_00124469 push cs; retf 27_2_0012449E
Source: PO-INV 21460041492040401.PDF.exe, d0KF/a3KH.cs High entropy of concatenated method names: '.ctor', 'w3K0', 'Ge9b', 'Dn2o', 'Rd09', 'f5E8', 'q6B9', 'Nc6f', 'Ff54', 'Pd6o'
Source: 0.0.PO-INV 21460041492040401.PDF.exe.310000.0.unpack, d0KF/a3KH.cs High entropy of concatenated method names: '.ctor', 'w3K0', 'Ge9b', 'Dn2o', 'Rd09', 'f5E8', 'q6B9', 'Nc6f', 'Ff54', 'Pd6o'
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD621.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe File opened: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe\:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: PO-INV 21460041492040401.PDF.exe
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe TID: 5628 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe TID: 5628 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe TID: 4860 Thread sleep count: 1041 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe TID: 4860 Thread sleep count: 8794 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 6496 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 6620 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6640 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7148 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Window / User API: threadDelayed 1041 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Window / User API: threadDelayed 8794 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Window / User API: threadDelayed 1917 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Window / User API: threadDelayed 7602 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Window / User API: foregroundWindowGot 498 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.352886706.00000000009FE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: D53008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD621.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpDAD5.tmp' Jump to behavior
Source: RegAsm.exe, 00000010.00000002.517627892.00000000063CD000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000010.00000002.511935247.0000000001740000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000010.00000002.511935247.0000000001740000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000010.00000002.511935247.0000000001740000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: RegAsm.exe, 00000010.00000002.513958132.0000000003013000.00000004.00000001.sdmp Binary or memory string: Program ManagerxE
Source: RegAsm.exe, 00000010.00000002.511935247.0000000001740000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: RegAsm.exe, 00000010.00000002.511935247.0000000001740000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: RegAsm.exe, 00000010.00000002.516035516.00000000033BE000.00000004.00000001.sdmp Binary or memory string: Program Manager|0Q

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Queries volume information: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-INV 21460041492040401.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f5053c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5870000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5874629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f5053c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f54b65.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5870000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512833462.0000000002F01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.508601961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.517482154.0000000005870000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361849157.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.516134110.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO-INV 21460041492040401.PDF.exe PID: 6016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PO-INV 21460041492040401.PDF.exe, 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000010.00000002.512833462.0000000002F01000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000010.00000002.512833462.0000000002F01000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f5053c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5870000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5874629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f5053c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38fa012.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f54b65.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.5870000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.37b9510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.392cce2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.3f4b706.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.39c5320.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.38c7332.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-INV 21460041492040401.PDF.exe.3992662.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.361666966.0000000003894000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512833462.0000000002F01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.508601961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361495255.00000000037B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.517482154.0000000005870000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361849157.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.516134110.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO-INV 21460041492040401.PDF.exe PID: 6016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483625 Sample: PO-INV 21460041492040401.PDF.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 8 other signatures 2->58 8 PO-INV 21460041492040401.PDF.exe 15 4 2->8         started        13 RegAsm.exe 2 2->13         started        15 dhcpmon.exe 2 2->15         started        17 dhcpmon.exe 1 2->17         started        process3 dnsIp4 50 www.google.com 172.217.168.36, 443, 49728 GOOGLEUS United States 8->50 44 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 8->44 dropped 46 C:\...\PO-INV 21460041492040401.PDF.exe.log, ASCII 8->46 dropped 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->66 68 Injects a PE file into a foreign processes 8->68 19 RegAsm.exe 1 11 8->19         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        file5 signatures6 process7 dnsIp8 48 79.134.225.7, 49765, 49768, 49769 FINK-TELECOM-SERVICESCH Switzerland 19->48 38 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD621.tmp, XML 19->40 dropped 42 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->42 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 19->60 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        file9 signatures10 process11 process12 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.36
 www.google.com United States
15169 GOOGLEUS false
79.134.225.7
 unknown Switzerland
6775 FINK-TELECOM-SERVICESCH false

Contacted Domains

Name IP Active
www.google.com 172.217.168.36 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/ false
    		high