Loading ...

Play interactive tourEdit tour

Windows Analysis Report 4Y85lSOUJ0.exe

Overview

General Information

Sample Name:4Y85lSOUJ0.exe
Analysis ID:553230
MD5:4f439877b84b51b8caa48ae81e1d2363
SHA1:defde1263c0ca2d604226cff86e4045a28650ab4
SHA256:b05b740309562ab6160cc3eb8ed2f0dd839d53c6c71f67bf40aeeb3f580eeb0a
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore MercurialGrabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected MercurialGrabber
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the product ID of Windows
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 4Y85lSOUJ0.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\4Y85lSOUJ0.exe" MD5: 4F439877B84B51B8CAA48AE81E1D2363)
    • nano.exe (PID: 6968 cmdline: "C:\ProgramData\nano.exe" MD5: 94115D1343C7C81682FE2D48CB9F8B96)
    • output.exe (PID: 7124 cmdline: "C:\ProgramData\output.exe" MD5: BF3C8FF8097814C773B0E86495FD0013)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "e5633be0-23ed-438f-a28c-ab363fff", "Group": "Lol ve Valo", "Domain1": "alpay.germanywestcentral.cloudapp.azure.com", "Domain2": "", "Port": 6000, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4985, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "fcff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "alpay.germanywestcentral.cloudapp.azure.com"}

Threatname: MercurialGrabber

{"Webhook Url": "https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
4Y85lSOUJ0.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1abfd:$x1: NanoCore.ClientPluginHost
  • 0x1ac3a:$x2: IClientNetworkHost
  • 0x1e76d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4Y85lSOUJ0.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1a975:$x1: NanoCore Client.exe
  • 0x1abfd:$x2: NanoCore.ClientPluginHost
  • 0x1c236:$s1: PluginCommand
  • 0x1c22a:$s2: FileCommand
  • 0x1d0db:$s3: PipeExists
  • 0x22e92:$s4: PipeCreated
  • 0x1ac27:$s5: IClientLoggingHost
4Y85lSOUJ0.exeJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
    4Y85lSOUJ0.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      4Y85lSOUJ0.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x1a965:$a: NanoCore
      • 0x1a975:$a: NanoCore
      • 0x1aba9:$a: NanoCore
      • 0x1abbd:$a: NanoCore
      • 0x1abfd:$a: NanoCore
      • 0x1a9c4:$b: ClientPlugin
      • 0x1abc6:$b: ClientPlugin
      • 0x1ac06:$b: ClientPlugin
      • 0x1aaeb:$c: ProjectData
      • 0x1b4f2:$d: DESCrypto
      • 0x22ebe:$e: KeepAlive
      • 0x20eac:$g: LogClientMessage
      • 0x1d0a7:$i: get_Connected
      • 0x1b828:$j: #=q
      • 0x1b858:$j: #=q
      • 0x1b874:$j: #=q
      • 0x1b8a4:$j: #=q
      • 0x1b8c0:$j: #=q
      • 0x1b8dc:$j: #=q
      • 0x1b90c:$j: #=q
      • 0x1b928:$j: #=q
      Click to see the 1 entries

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\output.exeJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
        C:\ProgramData\output.exeMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
        • 0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ...
        • 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ...
        • 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ...
        • 0x79f1:$x1: ---------------- mercurial grabber ----------------
        • 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F
        • 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
        C:\ProgramData\nano.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        C:\ProgramData\nano.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        C:\ProgramData\nano.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 5 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1a9fd:$x1: NanoCore.ClientPluginHost
          • 0x1aa3a:$x2: IClientNetworkHost
          • 0x1e56d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
            00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0x1a765:$a: NanoCore
              • 0x1a775:$a: NanoCore
              • 0x1a9a9:$a: NanoCore
              • 0x1a9bd:$a: NanoCore
              • 0x1a9fd:$a: NanoCore
              • 0x1a7c4:$b: ClientPlugin
              • 0x1a9c6:$b: ClientPlugin
              • 0x1aa06:$b: ClientPlugin
              • 0x1a8eb:$c: ProjectData
              • 0x1b2f2:$d: DESCrypto
              • 0x22cbe:$e: KeepAlive
              • 0x20cac:$g: LogClientMessage
              • 0x1cea7:$i: get_Connected
              • 0x1b628:$j: #=q
              • 0x1b658:$j: #=q
              • 0x1b674:$j: #=q
              • 0x1b6a4:$j: #=q
              • 0x1b6c0:$j: #=q
              • 0x1b6dc:$j: #=q
              • 0x1b70c:$j: #=q
              • 0x1b728:$j: #=q
              00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0xff8d:$x1: NanoCore.ClientPluginHost
              • 0xffca:$x2: IClientNetworkHost
              • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
              Click to see the 41 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.0.nano.exe.a80000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0x1018d:$x1: NanoCore.ClientPluginHost
              • 0x101ca:$x2: IClientNetworkHost
              • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
              2.0.nano.exe.a80000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
              • 0xff05:$x1: NanoCore Client.exe
              • 0x1018d:$x2: NanoCore.ClientPluginHost
              • 0x117c6:$s1: PluginCommand
              • 0x117ba:$s2: FileCommand
              • 0x1266b:$s3: PipeExists
              • 0x18422:$s4: PipeCreated
              • 0x101b7:$s5: IClientLoggingHost
              2.0.nano.exe.a80000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
                2.0.nano.exe.a80000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
                • 0xfef5:$a: NanoCore
                • 0xff05:$a: NanoCore
                • 0x10139:$a: NanoCore
                • 0x1014d:$a: NanoCore
                • 0x1018d:$a: NanoCore
                • 0xff54:$b: ClientPlugin
                • 0x10156:$b: ClientPlugin
                • 0x10196:$b: ClientPlugin
                • 0x1007b:$c: ProjectData
                • 0x10a82:$d: DESCrypto
                • 0x1844e:$e: KeepAlive
                • 0x1643c:$g: LogClientMessage
                • 0x12637:$i: get_Connected
                • 0x10db8:$j: #=q
                • 0x10de8:$j: #=q
                • 0x10e04:$j: #=q
                • 0x10e34:$j: #=q
                • 0x10e50:$j: #=q
                • 0x10e6c:$j: #=q
                • 0x10e9c:$j: #=q
                • 0x10eb8:$j: #=q
                2.0.nano.exe.a80000.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
                • 0x1018d:$x1: NanoCore.ClientPluginHost
                • 0x101ca:$x2: IClientNetworkHost
                • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
                Click to see the 104 entries

                Sigma Overview

                AV Detection:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\ProgramData\nano.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                E-Banking Fraud:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\ProgramData\nano.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                Stealing of Sensitive Information:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\ProgramData\nano.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                Remote Access Functionality:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\ProgramData\nano.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e5633be0-23ed-438f-a28c-ab363fff", "Group": "Lol ve Valo", "Domain1": "alpay.germanywestcentral.cloudapp.azure.com", "Domain2": "", "Port": 6000, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4985, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "fcff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "alpay.germanywestcentral.cloudapp.azure.com"}
                Source: 5.2.output.exe.300000.0.unpackMalware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: 4Y85lSOUJ0.exeVirustotal: Detection: 73%Perma Link
                Source: 4Y85lSOUJ0.exeReversingLabs: Detection: 82%
                Yara detected MercurialGrabberShow sources
                Source: Yara matchFile source: 4Y85lSOUJ0.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\output.exe, type: DROPPED
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: 4Y85lSOUJ0.exeAvira: detected
                Antivirus detection for dropped fileShow sources
                Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
                Source: C:\ProgramData\output.exeAvira: detection malicious, Label: HEUR/AGEN.1137455
                Source: C:\ProgramData\nano.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 85%Perma Link
                Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 96%
                Source: C:\ProgramData\nano.exeMetadefender: Detection: 85%Perma Link
                Source: C:\ProgramData\nano.exeReversingLabs: Detection: 96%
                Source: C:\ProgramData\output.exeMetadefender: Detection: 51%Perma Link
                Source: C:\ProgramData\output.exeReversingLabs: Detection: 85%
                Yara detected Nanocore RATShow sources
                Source: Yara matchFile source: 4Y85lSOUJ0.exe, type: SAMPLE
                Source: Yara matchFile source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\nano.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                Machine Learning detection for sampleShow sources
                Source: 4Y85lSOUJ0.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped fileShow sources
                Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\output.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\nano.exeJoe Sandbox ML: detected
                Source: 2.2.nano.exe.5c40000.7.unpackAvira: Label: TR/NanoCore.fadte
                Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: 2.0.nano.exe.a80000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: 2.2.nano.exe.a80000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: 2.0.nano.exe.a80000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: 2.0.nano.exe.a80000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: 2.0.nano.exe.a80000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7