Windows Analysis Report
xeWd55M5Lb

Overview

General Information

Sample Name: xeWd55M5Lb (renamed file extension from none to exe)
Analysis ID: 628188
MD5: f32d1f6e94da654932e73e42f0f4773a
SHA1: 04e51bb4dedfc85cb6d4dfceb3bf48bf69c2a58a
SHA256: 43f670b439ef8ea9765ef3a61e84f1997e3dfd30067dc11c3203caf258553398
Tags: 32exe
Infos:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Machine Learning detection for sample
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b07368c6-c9e6-43bc-939d-00b8dbf6", "Group": "Memphis", "Domain1": "stonecold.ddns.net", "Domain2": "stonecold.ddns.net", "Port": 2702, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for submitted file
Source: xeWd55M5Lb.exe Virustotal: Detection: 49% Perma Link
Source: xeWd55M5Lb.exe ReversingLabs: Detection: 48%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe ReversingLabs: Detection: 23%
Yara detected Nanocore RAT
Source: Yara match File source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR
Machine Learning detection for sample
Source: xeWd55M5Lb.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.ltqmdmdi.exe.400000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 17.0.ltqmdmdi.exe.400000.2.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 17.2.ltqmdmdi.exe.400000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 3.0.jqenyeo.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.jqenyeo.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.jqenyeo.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.jqenyeo.exe.400000.9.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.jqenyeo.exe.400000.7.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.0.ltqmdmdi.exe.400000.1.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 1.2.jqenyeo.exe.400000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 3.0.jqenyeo.exe.400000.5.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.0.ltqmdmdi.exe.400000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Uses 32bit PE files
Source: xeWd55M5Lb.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: xeWd55M5Lb.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: jqenyeo.exe, 00000001.00000003.285113865.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, jqenyeo.exe, 00000001.00000003.281647167.0000000002740000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: jqenyeo.exe, 00000001.00000003.285113865.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, jqenyeo.exe, 00000001.00000003.281647167.0000000002740000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49743 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49746 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49746 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49753 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49757 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49758 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 185.19.85.141:2702 -> 192.168.2.3:49758
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49759 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49760 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49761 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49762 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49763 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49766 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49766 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49766 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49767 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49767 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49768 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49768 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49774 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49776 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49776 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49777 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49777 -> 185.19.85.141:2702
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 185.19.85.141:2702 -> 192.168.2.3:49777
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: stonecold.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: stonecold.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.19.85.141 185.19.85.141
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 185.19.85.141:2702
Source: xeWd55M5Lb.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown DNS traffic detected: queries for: stonecold.ddns.net
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Uses 32bit PE files
Source: xeWd55M5Lb.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
One or more processes crash
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 628
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_004031FA 1_2_004031FA
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_00409C02 1_2_00409C02
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_0040A174 1_2_0040A174
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_00409690 1_2_00409690
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_0040777E 1_2_0040777E
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_0040B3E1 1_2_0040B3E1
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_0040C3AD 1_2_0040C3AD
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_009F0BE0 1_2_009F0BE0
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_004031FA 6_2_004031FA
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_00409C02 6_2_00409C02
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_0040A174 6_2_0040A174
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_00409690 6_2_00409690
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_0040777E 6_2_0040777E
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_0040B3E1 6_2_0040B3E1
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_0040C3AD 6_2_0040C3AD
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_004031FA 17_2_004031FA
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_00409C02 17_2_00409C02
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_0040A174 17_2_0040A174
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_00409690 17_2_00409690
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_0040777E 17_2_0040777E
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_0040B3E1 17_2_0040B3E1
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_0040C3AD 17_2_0040C3AD
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: String function: 00402520 appears 54 times
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: String function: 00404520 appears 38 times
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\jqenyeo.exe 525DD105980B23F780D5E9A747FF3D1BC09DD41FBFDD4266B64F1BDD6D632CFF
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe 525DD105980B23F780D5E9A747FF3D1BC09DD41FBFDD4266B64F1BDD6D632CFF
Source: xeWd55M5Lb.exe Virustotal: Detection: 49%
Source: xeWd55M5Lb.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe File read: C:\Users\user\Desktop\xeWd55M5Lb.exe Jump to behavior
Source: xeWd55M5Lb.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\xeWd55M5Lb.exe "C:\Users\user\Desktop\xeWd55M5Lb.exe"
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk
Source: unknown Process created: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe "C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe"
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 628
Source: unknown Process created: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe "C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe"
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 608
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk Jump to behavior
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe File created: C:\Users\user\AppData\Roaming\mtmgxghqo Jump to behavior
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe File created: C:\Users\user\AppData\Local\Temp\nsg494E.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/18@16/2
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5948
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6696
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{b07368c6-c9e6-43bc-939d-00b8dbf662e7}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: xeWd55M5Lb.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: jqenyeo.exe, 00000001.00000003.285113865.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, jqenyeo.exe, 00000001.00000003.281647167.0000000002740000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: jqenyeo.exe, 00000001.00000003.285113865.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, jqenyeo.exe, 00000001.00000003.281647167.0000000002740000.00000004.00001000.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_00402565 push ecx; ret 1_2_00402578
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_00402565 push ecx; ret 6_2_00402578
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_00402565 push ecx; ret 17_2_00402578
Drops PE files
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe File created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe File created: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wboyuqknqhxiar Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wboyuqknqhxiar Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe File opened: C:\Users\user\AppData\Local\Temp\jqenyeo.exe:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_004031FA RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004031FA
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe TID: 6616 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe TID: 6608 Thread sleep time: -800000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Window / User API: foregroundWindowGot 819 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Window / User API: foregroundWindowGot 723 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe API coverage: 6.8 %
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe API coverage: 7.3 %
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe API call chain: ExitProcess graph end node
Source: xeWd55M5Lb.exe, 00000000.00000002.293043003.00000000007A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: jqenyeo.exe, 00000003.00000003.480383751.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_004071A5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_004071A5
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_004071A5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_004071A5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_0040819A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_0040819A
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_009F03F8 mov eax, dword ptr fs:[00000030h] 1_2_009F03F8
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_009F06F7 mov eax, dword ptr fs:[00000030h] 1_2_009F06F7
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_009F061D mov eax, dword ptr fs:[00000030h] 1_2_009F061D
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_009F0736 mov eax, dword ptr fs:[00000030h] 1_2_009F0736
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_009F0772 mov eax, dword ptr fs:[00000030h] 1_2_009F0772
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_004040DE SetUnhandledExceptionFilter, 1_2_004040DE
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_0040410F SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040410F
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_004040DE SetUnhandledExceptionFilter, 6_2_004040DE
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 6_2_0040410F SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_0040410F
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_004040DE SetUnhandledExceptionFilter, 17_2_004040DE
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe Code function: 17_2_0040410F SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0040410F

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Memory written: C:\Users\user\AppData\Local\Temp\jqenyeo.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk Jump to behavior
Source: jqenyeo.exe, 00000003.00000003.480383751.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: jqenyeo.exe, 00000003.00000003.480383751.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mProgram Manager
Source: jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mProgram ManagerrogramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=DESKTOP-716T77
Source: jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: oProgram Manager
Source: jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager`O
Source: jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.484552828.0000000000701000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerProgram Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPD
Source: jqenyeo.exe, 00000003.00000003.445008058.0000000000700000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.451453735.0000000000700000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerrogramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=DESKTOP-716T77
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_00404D5C cpuid 1_2_00404D5C
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe Code function: 1_2_00403C2E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00403C2E
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Nanocore Rat
Source: jqenyeo.exe, 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: jqenyeo.exe, 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 628188 Sample: xeWd55M5Lb Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 7 other signatures 2->57 7 xeWd55M5Lb.exe 19 2->7         started        10 ltqmdmdi.exe 1 2->10         started        13 ltqmdmdi.exe 1 2->13         started        process3 file4 35 C:\Users\user\AppData\Local\...\jqenyeo.exe, PE32 7->35 dropped 15 jqenyeo.exe 1 3 7->15         started        59 Multi AV Scanner detection for dropped file 10->59 19 WerFault.exe 3 10 10->19         started        21 conhost.exe 10->21         started        23 WerFault.exe 10 13->23         started        26 conhost.exe 13->26         started        signatures5 process6 dnsIp7 39 C:\Users\user\AppData\...\ltqmdmdi.exe, PE32 15->39 dropped 45 Multi AV Scanner detection for dropped file 15->45 47 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->47 49 Injects a PE file into a foreign processes 15->49 28 jqenyeo.exe 12 15->28         started        33 conhost.exe 15->33         started        41 192.168.2.1 unknown unknown 23->41 file8 signatures9 process10 dnsIp11 43 stonecold.ddns.net 185.19.85.141, 2702, 49743, 49746 DATAWIRE-ASCH Switzerland 28->43 37 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 28->37 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->61 file12 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.19.85.141
 stonecold.ddns.net Switzerland
48971 DATAWIRE-ASCH true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
stonecold.ddns.net 185.19.85.141 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
stonecold.ddns.net true
  • Avira URL Cloud: safe
 unknown