Loading ...

Play interactive tourEdit tour

Windows Analysis Report NGBCB21034772.exe

Overview

General Information

Sample Name:NGBCB21034772.exe
Analysis ID:527347
MD5:b8c4a67ffad19ae3c9f3c9770798e751
SHA1:06633fe82d0dd379d78a03a6014a0c49124bf126
SHA256:dd50acbecbb2c744dc18af4769a1bc3196d59e8014e4f1ad87cf0214218ae129
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Writes to foreign memory regions
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NGBCB21034772.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\NGBCB21034772.exe" MD5: B8C4A67FFAD19AE3C9F3C9770798E751)
    • schtasks.exe (PID: 2928 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aZWHJb" /XML "C:\Users\user\AppData\Local\Temp\tmp2BE9.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6712 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 5840 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp45AF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5780 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5CC2.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 5564 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6912 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6956 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ce7fbdd9-3c95-435d-8876-f6695519", "Group": "0SPEED", "Domain1": "strongodss.ddns.net", "Domain2": "185.19.85.175", "Port": 50421, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.691846174.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.691846174.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000000.691846174.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000000.00000002.694978767.00000000028EF000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000004.00000000.692150121.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.RegSvcs.exe.36216fc.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x40c2:$x1: NanoCore.ClientPluginHost
      4.2.RegSvcs.exe.36216fc.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x40c2:$x2: NanoCore.ClientPluginHost
      • 0x41a0:$s4: PipeCreated
      • 0x40dc:$s5: IClientLoggingHost
      4.2.RegSvcs.exe.465ec9e.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0x6483:$x1: NanoCore.ClientPluginHost
      • 0x1a020:$x1: NanoCore.ClientPluginHost
      • 0x32fbf:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      • 0x1a04d:$x2: IClientNetworkHost
      • 0x32fec:$x2: IClientNetworkHost
      4.2.RegSvcs.exe.465ec9e.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x6483:$x2: NanoCore.ClientPluginHost
      • 0x1a020:$x2: NanoCore.ClientPluginHost
      • 0x32fbf:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0x6561:$s4: PipeCreated
      • 0x1b0fb:$s4: PipeCreated
      • 0x3409a:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      • 0x649d:$s5: IClientLoggingHost
      • 0x1a03a:$s5: IClientLoggingHost
      • 0x32fd9:$s5: IClientLoggingHost
      4.2.RegSvcs.exe.465ec9e.5.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 67 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6712, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6712, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicius Add Task From User AppData TempShow sources
        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aZWHJb" /XML "C:\Users\user\AppData\Local\Temp\tmp2BE9.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aZWHJb" /XML "C:\Users\user\AppData\Local\Temp\tmp2BE9.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\NGBCB21034772.exe" , ParentImage: C:\Users\user\Desktop\NGBCB21034772.exe, ParentProcessId: 6352, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aZWHJb" /XML "C:\Users\user\AppData\Local\Temp\tmp2BE9.tmp, ProcessId: 2928

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6712, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6712, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000004.00000002.935569052.0000000004657000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ce7fbdd9-3c95-435d-8876-f6695519", "Group": "0SPEED", "Domain1": "strongodss.ddns.net", "Domain2": "185.19.85.175", "Port": 50421, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: NGBCB21034772.exeReversingLabs: Detection: 53%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\aZWHJb.exeReversingLabs: Detection: 40%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 4.2.RegSvcs.exe.465ec9e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.4669511.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.61a0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.61a4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NGBCB21034772.exe.39a7498.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.61a0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.4669511.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.4663adb.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NGBCB21034772.exe.3a90f28.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NGBCB21034772.exe.3a09d18.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NGBCB21034772.exe.39a7498.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000000.691846174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.692150121.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.692457604.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.933774763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.936165853.00000000061A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.692795570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.935569052.0000000004657000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.695908255.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NGBCB21034772.exe PID: 6352, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6712, type: MEMORYSTR
        Source: 4.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.2.RegSvcs.exe.61a0000.9.unpackAvira: Label: TR/NanoCore.fadte
        Source: 4.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: NGBCB21034772.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\NGBCB21034772.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: NGBCB21034772.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\EwAALIHqSo\src\obj\Debug\liARhc.pdbs source: NGBCB21034772.exe
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\EwAALIHqSo\src\obj\Debug\liARhc.pdb source: NGBCB21034772.exe
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.936154958.0000000006190000.00000004.00020000.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.935093264.00000000032C5000.00000004.00000040.sdmp
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.935093264.00000000032C5000.00000004.00000040.sdmp
        Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.935093264.00000000032C5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.935093264.00000000032C5000.00000004.00000040.sdmp
        Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
        Source: C:\Users\user\Desktop\NGBCB21034772.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_048B42CF
        Source: C:\Users\user\Desktop\NGBCB21034772.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_048B42E0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then mov esp, ebp4_2_03258808

        Networking:

        barindex
        Connects to many ports of the same IP (likely port scanning)Show sources
        Source: global trafficTCP traffic: 185.19.85.175 ports 0,1,2,4,5,50421
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 185.19.85.175
        Source: Malware configuration extractorURLs: strongodss.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: strongodss.ddns.net
        Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
        Source: Joe Sandbox ViewIP Address: 185.19.85.175 185.19.85.175
        Source: global trafficTCP traffic: 192.168.2.4:49766 -> 185.19.85.175:50421
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: NGBCB21034772.exe, 00000000.00000003.670652519.0000000004E1A000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmld
        Source: NGBCB21034772.exe, 00000000.00000003.669919929.0000000004E1F000.00000004.00000001.sdmp, NGBCB21034772.exe, 00000000.00000003.669827894.0000000004E26000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: NGBCB21034772.exe, 00000000.00000003.669919929.0000000004E1F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
        Source: NGBCB21034772.exe, 00000000.00000003.669919929.0000000004E1F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTlH
        Source: NGBCB21034772.exe, 00000000.00000003.669827894.0000000004E26000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comangKg
        Source: NGBCB21034772.exe, 00000000.00000003.669827894.0000000004E26000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comantAg
        Source: NGBCB21034772.exe, 00000000.00000003.669919929.0000000004E1F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcin
        Source: NGBCB21034772.exe, 00000000.00000003.669827894.0000000004E26000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comech
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmp, NGBCB21034772.exe, 00000000.00000003.674092889.0000000004E45000.00000004.00000001.sdmp, NGBCB21034772.exe, 00000000.00000003.678458823.0000000004E45000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: NGBCB21034772.exe, 00000000.00000003.672373409.0000000004E45000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: NGBCB21034772.exe, 00000000.00000003.672736632.0000000004E1E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/e-dDd
        Source: NGBCB21034772.exe, 00000000.00000003.673386656.0000000004E1E000.00000004.00000001.sdmp, NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: NGBCB21034772.exe, 00000000.00000003.674559376.0000000004E45000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers3
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmp, NGBCB21034772.exe, 00000000.00000003.673176192.0000000004E45000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: NGBCB21034772.exe, 00000000.00000002.696946708.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: NGBCB21034772.exe, 00000000.00000003.678458823.0000000004E45000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersI
        Source: