Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
U7Ncg7oAyC.exe

Overview

General Information

Sample Name:U7Ncg7oAyC.exe
Analysis ID:623790
MD5:1d2ca2d522f8f4e99609cf7e88e673b4
SHA1:7754eade48451776ab6109a0c584573780a4f531
SHA256:26e6fe6c78632392c446e53eb0779ec99e0864d09265b9dda557763629ef3396
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • U7Ncg7oAyC.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\U7Ncg7oAyC.exe" MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
    • powershell.exe (PID: 6456 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6476 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • U7Ncg7oAyC.exe (PID: 6752 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
      • schtasks.exe (PID: 4132 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4352 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • U7Ncg7oAyC.exe (PID: 2860 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe 0 MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
    • powershell.exe (PID: 5684 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6168 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • U7Ncg7oAyC.exe (PID: 6568 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
  • dhcpmon.exe (PID: 5308 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
    • powershell.exe (PID: 6944 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 1556 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 640 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
  • dhcpmon.exe (PID: 5256 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)