Windows Analysis Report eReceiptpdf.exe

Overview

General Information

Sample Name: eReceiptpdf.exe
Analysis ID: 509854
MD5: c97f7f2dea671626ab1c6d3d1ad59422
SHA1: de5bc22d6558a46f99784598f550a3affab19ada
SHA256: 9b65db8538653ab63132c23e45852d5455c9cc661655fa217b42a830b0efd24c
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Hides threads from debuggers
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d49cd953-2518-4f4a-81ab-2e5bbd26", "Group": "kings", "Domain1": "zeegod.duckdns.org", "Domain2": "", "Port": 8655, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 22%
Yara detected Nanocore RAT
Source: Yara match File source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40ea9e1.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40ea9e1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300635347.0000000005144000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324519764.00000000070F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.303431509.00000000070F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.351180873.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.341009071.0000000004F77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.352765466.0000000003091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eReceiptpdf.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6048, type: MEMORYSTR

Compliance:

barindex
Uses 32bit PE files
Source: eReceiptpdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49715 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49718 version: TLS 1.0
Source: eReceiptpdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbI/ source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER6061.tmp.dmp.11.dr
Source: Binary string: System.Xml.ni.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: System.pdbMZ@ source: WER6061.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER6061.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: 1}\Servererver32dows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb(1 source: eReceiptpdf.exe, 00000000.00000000.326221264.0000000007830000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER6061.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\Desktop\eReceiptpdf.PDB source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: System.Configuration.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdble}i source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: .pdb& source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: eReceiptpdf.exe, 00000000.00000000.326221264.0000000007830000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: System.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: System.Core.ni.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: C:\Users\user\Desktop\eReceiptpdf.exeisualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Servererver32)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT source: eReceiptpdf.exe, 00000000.00000000.304724116.0000000007830000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: dhcpmon.exe, 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER6061.tmp.dmp.11.dr
Source: Binary string: C:\Users\user\Desktop\eReceiptpdf.PDB source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER6061.tmp.dmp.11.dr
Source: Binary string: jVisualBasic.pdb< source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: eReceiptpdf.PDB source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: System.ni.pdb source: WER6061.tmp.dmp.11.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 4x nop then add dword ptr [ebp-5Ch], 01h 0_2_01660659
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 4x nop then jmp 01661155h 0_2_01660F18
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_01669324
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_01669330
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 4x nop then jmp 01661155h 0_2_01660F09
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then add dword ptr [ebp-5Ch], 01h 12_2_02DE0659
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then jmp 02DE1155h 12_2_02DE0F18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 12_2_02DE9330
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 12_2_02DE9324
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then jmp 02DE1155h 12_2_02DE0F09

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49724 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49725 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49726 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49765 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49776 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49793 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49802 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49804 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49805 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49806 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49807 -> 45.133.1.211:8655
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49808 -> 45.133.1.211:8655
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: zeegod.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: zeegod.duckdns.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902653812936949891/4EB2FF9E.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902653812936949891/4EB2FF9E.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View IP Address: 162.159.134.233 162.159.134.233
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49715 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49718 version: TLS 1.0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49716 -> 45.133.1.211:8655
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: eReceiptpdf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: eReceiptpdf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: eReceiptpdf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: eReceiptpdf.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: eReceiptpdf.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: eReceiptpdf.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: eReceiptpdf.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: eReceiptpdf.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: eReceiptpdf.exe, 00000000.00000000.307592004.0000000003191000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.334852446.0000000002FC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dhcpmon.exe, dhcpmon.exe, 00000012.00000000.332045500.0000000000D42000.00000002.00020000.sdmp, eReceiptpdf.exe String found in binary or memory: http://tempuri.org/DetailsDataSet1.xsd
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: eReceiptpdf.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: eReceiptpdf.exe, 00000000.00000000.307592004.0000000003191000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.334852446.0000000002FC1000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: dhcpmon.exe, eReceiptpdf.exe String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902653812936949891/4EB2FF9E.jpg
Source: eReceiptpdf.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902653812936949891/4EB2FF9E.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902653812936949891/4EB2FF9E.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: dhcpmon.exe, 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40ea9e1.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40ea9e1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300635347.0000000005144000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324519764.00000000070F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.303431509.00000000070F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.351180873.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.341009071.0000000004F77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.352765466.0000000003091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eReceiptpdf.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6048, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 18.2.dhcpmon.exe.30f9658.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.30f9658.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.30fe6b8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.dhcpmon.exe.40e016e.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.dhcpmon.exe.40ea9e1.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.dhcpmon.exe.40ea9e1.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.300635347.0000000005144000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.300635347.0000000005144000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.324519764.00000000070F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.324519764.00000000070F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.303431509.00000000070F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.303431509.00000000070F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.351180873.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.351180873.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.341009071.0000000004F77000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.341009071.0000000004F77000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.352765466.0000000003091000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: eReceiptpdf.exe PID: 7124, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: eReceiptpdf.exe PID: 7124, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6428, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6428, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6048, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6048, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Uses 32bit PE files
Source: eReceiptpdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: eReceiptpdf.exe, type: SAMPLE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.2.dhcpmon.exe.30f9658.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.30f9658.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.30f9658.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.30f9658.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.30fe6b8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.30fe6b8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.dhcpmon.exe.340000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.420000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.eReceiptpdf.exe.dc0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.0.dhcpmon.exe.340000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.eReceiptpdf.exe.dc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.eReceiptpdf.exe.dc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.2.dhcpmon.exe.40e016e.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.40e016e.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.420000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.2.dhcpmon.exe.40ea9e1.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.40ea9e1.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.eReceiptpdf.exe.810000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 12.0.dhcpmon.exe.b30000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.0.dhcpmon.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.dhcpmon.exe.d40000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.eReceiptpdf.exe.dc0000.15.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 12.2.dhcpmon.exe.b30000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.2.dhcpmon.exe.40ea9e1.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.40ea9e1.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.300635347.0000000005144000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.300635347.0000000005144000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.324519764.00000000070F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.324519764.00000000070F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.303431509.00000000070F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.303431509.00000000070F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.351180873.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.351180873.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.341009071.0000000004F77000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.341009071.0000000004F77000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.352765466.0000000003091000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: eReceiptpdf.exe PID: 7124, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: eReceiptpdf.exe PID: 7124, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6428, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6428, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6048, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6048, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
One or more processes crash
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2176
Detected potential crypto function
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_0166A038 0_2_0166A038
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_016613C6 0_2_016613C6
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_016694E4 0_2_016694E4
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_01663650 0_2_01663650
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_01660659 0_2_01660659
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_01660F18 0_2_01660F18
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_01668EF6 0_2_01668EF6
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_01660F09 0_2_01660F09
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DE13C6 12_2_02DE13C6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DEA038 12_2_02DEA038
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DE36D8 12_2_02DE36D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DE0659 12_2_02DE0659
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DE94D7 12_2_02DE94D7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DE8EF3 12_2_02DE8EF3
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DE3E50 12_2_02DE3E50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DE0F18 12_2_02DE0F18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DEC00A 12_2_02DEC00A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DEB9FA 12_2_02DEB9FA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DE0F09 12_2_02DE0F09
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 18_2_0306E471 18_2_0306E471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 18_2_0306E480 18_2_0306E480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 18_2_0306BBD4 18_2_0306BBD4
Sample file is different than original file name gathered from version info
Source: eReceiptpdf.exe, 00000000.00000000.307229515.0000000002F60000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameAlienRunPE.exe6 vs eReceiptpdf.exe
Source: eReceiptpdf.exe, 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWPhv JLl.exe2 vs eReceiptpdf.exe
Source: eReceiptpdf.exe, 00000000.00000000.295140150.0000000000DC2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUltimate.dll2 vs eReceiptpdf.exe
Source: eReceiptpdf.exe, 00000000.00000000.295168078.0000000000DEE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePayroll Management System.exeT vs eReceiptpdf.exe
Source: eReceiptpdf.exe, 00000005.00000000.290366463.000000000083E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePayroll Management System.exeT vs eReceiptpdf.exe
Source: eReceiptpdf.exe, 00000005.00000000.290341595.0000000000812000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUltimate.dll2 vs eReceiptpdf.exe
Source: eReceiptpdf.exe Binary or memory string: OriginalFilenameUltimate.dll2 vs eReceiptpdf.exe
Source: eReceiptpdf.exe Binary or memory string: OriginalFilenamePayroll Management System.exeT vs eReceiptpdf.exe
PE / OLE file has an invalid certificate
Source: eReceiptpdf.exe Static PE information: invalid certificate
Source: C:\Users\user\Desktop\eReceiptpdf.exe File read: C:\Users\user\Desktop\eReceiptpdf.exe Jump to behavior
Source: eReceiptpdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\eReceiptpdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\eReceiptpdf.exe 'C:\Users\user\Desktop\eReceiptpdf.exe'
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Users\user\Desktop\eReceiptpdf.exe C:\Users\user\Desktop\eReceiptpdf.exe
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2176
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2176
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Users\user\Desktop\eReceiptpdf.exe C:\Users\user\Desktop\eReceiptpdf.exe Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2176 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6061.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@14/13@19/4
Source: eReceiptpdf.exe, 00000000.00000000.295140150.0000000000DC2000.00000002.00020000.sdmp, eReceiptpdf.exe, 00000005.00000000.290341595.0000000000812000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.333769964.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.330482629.0000000000422000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.331107108.0000000000342000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.332045500.0000000000D42000.00000002.00020000.sdmp Binary or memory string: INSERT INTO [dbo].[Details] ([Employee Id], [Title], [First Name], [Last Name], [Email], [Phone Number], [Hire Date], [Date of Birth], [Basic Pay], [House Rental Allowance], [Dearness Allowance], [Provident Fund], [Date of Leaving], [Grade]) VALUES (@Employee_Id, @Title, @First_Name, @Last_Name, @Email, @Phone_Number, @Hire_Date, @Date_of_Birth, @Basic_Pay, @House_Rental_Allowance, @Dearness_Allowance, @Provident_Fund, @Date_of_Leaving, @Grade);
Source: eReceiptpdf.exe, 00000000.00000000.295140150.0000000000DC2000.00000002.00020000.sdmp, eReceiptpdf.exe, 00000005.00000000.290341595.0000000000812000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.333769964.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.330482629.0000000000422000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.331107108.0000000000342000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.332045500.0000000000D42000.00000002.00020000.sdmp Binary or memory string: UPDATE [dbo].[Details] SET [Employee Id] = @Employee_Id, [Title] = @Title, [First Name] = @First_Name, [Last Name] = @Last_Name, [Email] = @Email, [Phone Number] = @Phone_Number, [Hire Date] = @Hire_Date, [Date of Birth] = @Date_of_Birth, [Basic Pay] = @Basic_Pay, [House Rental Allowance] = @House_Rental_Allowance, [Dearness Allowance] = @Dearness_Allowance, [Provident Fund] = @Provident_Fund, [Date of Leaving] = @Date_of_Leaving, [Grade] = @Grade WHERE (([Employee Id] = @Original_Employee_Id) AND ([Title] = @Original_Title) AND ([First Name] = @Original_First_Name) AND ([Last Name] = @Original_Last_Name) AND ((@IsNull_Phone_Number = 1 AND [Phone Number] IS NULL) OR ([Phone Number] = @Original_Phone_Number)) AND ([Hire Date] = @Original_Hire_Date) AND ([Date of Birth] = @Original_Date_of_Birth) AND ([Basic Pay] = @Original_Basic_Pay) AND ((@IsNull_House_Rental_Allowance = 1 AND [House Rental Allowance] IS NULL) OR ([House Rental Allowance] = @Original_House_Rental_Allowance)) AND ((@IsNull_Dearness_Allowance = 1 AND [Dearness Allowance] IS NULL) OR ([Dearness Allowance] = @Original_Dearness_Allowance)) AND ((@IsNull_Provident_Fund = 1 AND [Provident Fund] IS NULL) OR ([Provident Fund] = @Original_Provident_Fund)) AND ((@IsNull_Date_of_Leaving = 1 AND [Date of Leaving] IS NULL) OR ([Date of Leaving] = @Original_Date_of_Leaving)) AND ([Grade] = @Original_Grade));
Source: C:\Users\user\Desktop\eReceiptpdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: eReceiptpdf.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
Source: C:\Users\user\Desktop\eReceiptpdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{d49cd953-2518-4f4a-81ab-2e5bbd26887f}
Source: C:\Users\user\Desktop\eReceiptpdf.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: eReceiptpdf.exe, 00000000.00000000.304724116.0000000007830000.00000004.00000001.sdmp Binary or memory string: C:\Users\user\Desktop\eReceiptpdf.exeisualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Servererver32)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT
Source: C:\Users\user\Desktop\eReceiptpdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: eReceiptpdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: eReceiptpdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbI/ source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER6061.tmp.dmp.11.dr
Source: Binary string: System.Xml.ni.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: System.pdbMZ@ source: WER6061.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER6061.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: 1}\Servererver32dows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb(1 source: eReceiptpdf.exe, 00000000.00000000.326221264.0000000007830000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER6061.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\Desktop\eReceiptpdf.PDB source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: System.Configuration.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdble}i source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: .pdb& source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: eReceiptpdf.exe, 00000000.00000000.326221264.0000000007830000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: System.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: eReceiptpdf.exe, 00000000.00000000.306359653.0000000001541000.00000004.00000020.sdmp
Source: Binary string: System.Core.ni.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: C:\Users\user\Desktop\eReceiptpdf.exeisualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Servererver32)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT source: eReceiptpdf.exe, 00000000.00000000.304724116.0000000007830000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: dhcpmon.exe, 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WER6061.tmp.dmp.11.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER6061.tmp.dmp.11.dr
Source: Binary string: C:\Users\user\Desktop\eReceiptpdf.PDB source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER6061.tmp.dmp.11.dr
Source: Binary string: jVisualBasic.pdb< source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: eReceiptpdf.PDB source: eReceiptpdf.exe, 00000000.00000000.311535014.00000000066AA000.00000004.00000010.sdmp
Source: Binary string: System.ni.pdb source: WER6061.tmp.dmp.11.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\eReceiptpdf.exe Code function: 0_2_00DCDF6C push ss; retn 0000h 0_2_00DCDF6D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_00B3DF6C push ss; retn 0000h 12_2_00B3DF6D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DEAE48 push eax; mov dword ptr [esp], ecx 12_2_02DEAF59
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 12_2_02DEAF1B push eax; mov dword ptr [esp], ecx 12_2_02DEAF59
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0042DF6C push ss; retn 0000h 15_2_0042DF6D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 17_2_0034DF6C push ss; retn 0000h 17_2_0034DF6D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 18_2_00D4DF6C push ss; retn 0000h 18_2_00D4DF6D

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\eReceiptpdf.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\eReceiptpdf.exe File opened: C:\Users\user\Desktop\eReceiptpdf.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\eReceiptpdf.exe TID: 6304 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6908 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6788 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1860 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\eReceiptpdf.exe Window / User API: threadDelayed 3224 Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Window / User API: threadDelayed 5855 Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Window / User API: foregroundWindowGot 716 Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Window / User API: foregroundWindowGot 597 Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: VMware7,1
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.11.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process queried: DebugPort Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2176 Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\eReceiptpdf.exe Memory written: C:\Users\user\Desktop\eReceiptpdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Users\user\Desktop\eReceiptpdf.exe C:\Users\user\Desktop\eReceiptpdf.exe Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2176 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: eReceiptpdf.exe, 00000000.00000000.295792070.0000000001B10000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: eReceiptpdf.exe, 00000000.00000000.295792070.0000000001B10000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: eReceiptpdf.exe, 00000000.00000000.295792070.0000000001B10000.00000002.00020000.sdmp Binary or memory string: Progman
Source: eReceiptpdf.exe, 00000000.00000000.295792070.0000000001B10000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Users\user\Desktop\eReceiptpdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Users\user\Desktop\eReceiptpdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\eReceiptpdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\eReceiptpdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40ea9e1.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40ea9e1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300635347.0000000005144000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324519764.00000000070F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.303431509.00000000070F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.351180873.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.341009071.0000000004F77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.352765466.0000000003091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eReceiptpdf.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6048, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: eReceiptpdf.exe, 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Yara detected Nanocore RAT
Source: Yara match File source: 12.2.dhcpmon.exe.4f77190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.dhcpmon.exe.4f77190.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40ea9e1.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40e016e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40ea9e1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eReceiptpdf.exe.5144460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dhcpmon.exe.40e4fab.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.310947672.0000000005144000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.353019533.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300635347.0000000005144000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324519764.00000000070F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.303431509.00000000070F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.351180873.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.346857175.0000000006FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.341009071.0000000004F77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.352765466.0000000003091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eReceiptpdf.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6048, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 509854 Sample: eReceiptpdf.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 34 zeegod.duckdns.org 2->34 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 6 other signatures 2->50 7 eReceiptpdf.exe 15 2 2->7         started        11 dhcpmon.exe 14 3 2->11         started        signatures3 process4 dnsIp5 36 cdn.discordapp.com 162.159.129.233, 443, 49715 CLOUDFLARENETUS United States 7->36 52 Hides threads from debuggers 7->52 54 Injects a PE file into a foreign processes 7->54 13 eReceiptpdf.exe 1 12 7->13         started        18 WerFault.exe 23 9 7->18         started        20 WerFault.exe 7->20         started        38 162.159.134.233, 443, 49718 CLOUDFLARENETUS United States 11->38 22 dhcpmon.exe 2 11->22         started        24 dhcpmon.exe 11->24         started        26 dhcpmon.exe 11->26         started        signatures6 process7 dnsIp8 40 zeegod.duckdns.org 45.133.1.211, 49716, 49717, 49721 DEDIPATH-LLCUS Netherlands 13->40 28 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->28 dropped 30 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 13->30 dropped 32 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->32 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->56 42 192.168.2.1 unknown unknown 18->42 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.133.1.211
 zeegod.duckdns.org Netherlands
35913 DEDIPATH-LLCUS true
162.159.129.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
162.159.134.233
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
zeegod.duckdns.org 45.133.1.211 true
cdn.discordapp.com 162.159.129.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
https://cdn.discordapp.com/attachments/893177342426509335/902653812936949891/4EB2FF9E.jpg false
    		high
    zeegod.duckdns.org true
    • 2%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown