Windows Analysis Report
lb64Iy4W4e.exe

Overview

General Information

Sample Name: lb64Iy4W4e.exe
Analysis ID: 799403
MD5: 4c7df43e37814754ad1c8a97ab971af8
SHA1: c2315cba4dc175554869cf1c7d7b4ddfdb65adea
SHA256: 49cc6f25d16cf7c85d218bcd4ecbdedce0f5d4540bc5099436511291f48a3976
Tags: exeNanoCoreRAT
Infos:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Found large amount of non-executed APIs
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: lb64Iy4W4e.exe ReversingLabs: Detection: 41%
Source: lb64Iy4W4e.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Virustotal: Detection: 29% Perma Link
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe ReversingLabs: Detection: 23%
Yara detected Nanocore RAT
Source: Yara match File source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d046c01c-51f5-4c8c-b5b9-b566d533", "Group": "", "Domain1": "alertt.duckdns.org", "Domain2": "alertt.duckdns.org", "Port": 6445, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Uses 32bit PE files
Source: lb64Iy4W4e.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: lb64Iy4W4e.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: tohjyweui.exe, 00000001.00000003.314559627.000000001A6B0000.00000004.00001000.00020000.00000000.sdmp, tohjyweui.exe, 00000001.00000003.311976529.000000001A840000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tohjyweui.exe, 00000001.00000003.314559627.000000001A6B0000.00000004.00001000.00020000.00000000.sdmp, tohjyweui.exe, 00000001.00000003.311976529.000000001A840000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C42E3 FindFirstFileExW, 3_2_009C42E3
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C46CD FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_009C46CD

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49701
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49701 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49702 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49702
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49703 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49703 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49707 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49709 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 45.132.106.37:6445 -> 192.168.2.5:49709
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49710 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49711
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49711 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2823337 ETPRO TROJAN Nanocore Checkin Pattern 192.168.2.5:49711 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49712
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49712 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49716
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49716 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49717
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49717 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49719
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49719 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49720
Source: Traffic Snort IDS: 2810451 ETPRO TROJAN NanoCore RAT Keepalive Response 3 45.132.106.37:6445 -> 192.168.2.5:49720
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49720 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49722 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49722 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49723 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49725 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49726
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49726 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49727
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49727 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49729
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49729 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49730 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49731
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49731 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49733
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49733 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49734 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49735
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49735 -> 45.132.106.37:6445
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49736
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: alertt.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: alertt.duckdns.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49701 -> 45.132.106.37:6445
Source: lb64Iy4W4e.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown DNS traffic detected: queries for: alertt.duckdns.org
Creates a DirectInput object (often for capturing keystrokes)
Source: tohjyweui.exe, 00000001.00000002.320375242.00000000006BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Uses 32bit PE files
Source: lb64Iy4W4e.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
One or more processes crash
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 632
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009D00A7 1_2_009D00A7
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009F78A4 1_2_009F78A4
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009CE8A2 1_2_009CE8A2
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009CF9B4 1_2_009CF9B4
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B59D3 1_2_009B59D3
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009E11E1 1_2_009E11E1
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009CF289 1_2_009CF289
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009D0BA1 1_2_009D0BA1
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009CEBEA 1_2_009CEBEA
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009D041B 1_2_009D041B
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009CFD42 1_2_009CFD42
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009CF617 1_2_009CF617
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009D0780 1_2_009D0780
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009D0FD1 1_2_009D0FD1
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009EFF1F 1_2_009EFF1F
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009EEF20 1_2_009EEF20
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009CEF41 1_2_009CEF41
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_00600F9C 1_2_00600F9C
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_00601247 1_2_00601247
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009B00A7 3_2_009B00A7
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009B041B 3_2_009B041B
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009B0780 3_2_009B0780
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009AE8A2 3_2_009AE8A2
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009DAA75 3_2_009DAA75
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009B0BA1 3_2_009B0BA1
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009AEBEA 3_2_009AEBEA
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009B0FD1 3_2_009B0FD1
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009CEF20 3_2_009CEF20
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C8F5E 3_2_009C8F5E
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009AEF41 3_2_009AEF41
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009DAF71 3_2_009DAF71
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C11E1 3_2_009C11E1
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009AF289 3_2_009AF289
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009DB389 3_2_009DB389
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009CF430 3_2_009CF430
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009AF617 3_2_009AF617
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009DB7BE 3_2_009DB7BE
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009D78A4 3_2_009D78A4
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009CF870 3_2_009CF870
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009AF9B4 3_2_009AF9B4
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009959D3 3_2_009959D3
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009DBBF3 3_2_009DBBF3
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009CDB32 3_2_009CDB32
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009AFD42 3_2_009AFD42
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009CFF1F 3_2_009CFF1F
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: String function: 009B33C0 appears 32 times
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: String function: 009BE6D6 appears 54 times
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: String function: 009C6B49 appears 33 times
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: String function: 009933C0 appears 69 times
Contains functionality to delete services
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B1150 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle, 1_2_009B1150
Source: lb64Iy4W4e.exe ReversingLabs: Detection: 41%
Source: lb64Iy4W4e.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe File read: C:\Users\user\Desktop\lb64Iy4W4e.exe Jump to behavior
Source: lb64Iy4W4e.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\lb64Iy4W4e.exe C:\Users\user\Desktop\lb64Iy4W4e.exe
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\AppData\Local\Temp\fwbfw.c
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe C:\Users\user\AppData\Local\Temp\tohjyweui.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe "C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 632
Source: unknown Process created: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe "C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 604
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\AppData\Local\Temp\fwbfw.c Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe C:\Users\user\AppData\Local\Temp\tohjyweui.exe Jump to behavior
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe File created: C:\Users\user\AppData\Roaming\swschqavfbk Jump to behavior
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe File created: C:\Users\user\AppData\Local\Temp\nsj2A95.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/17@24/1
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: OpenSCManagerW,GetSystemDirectoryW,lstrcpyW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle, 1_2_009B1060
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: OpenSCManagerW,GetSystemDirectoryW,lstrcpyW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle, 3_2_00991060
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5716
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5408
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{d046c01c-51f5-4c8c-b5b9-b566d533dece}
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: GetTickCount 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Kernel32.dll 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Sleep 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Kernel32.dll 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: VirtualAlloc 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Kernel32.dll 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Embedding 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: regserver 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: unregserver 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: unregister 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: unreg 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: package 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: ACTION=ADMIN 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: uninstall 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: update 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: uiet 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: passive 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: help 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: REMOVE=ALL 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: REMOVE=ALL 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: @uv 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: GetTickCount 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Kernel32.dll 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Sleep 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Kernel32.dll 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: VirtualAlloc 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Kernel32.dll 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: Embedding 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: regserver 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: unregserver 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: unregister 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: unreg 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: package 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: ACTION=ADMIN 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: uninstall 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: update 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: uiet 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: passive 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: help 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: REMOVE=ALL 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: REMOVE=ALL 3_2_00991C00
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Command line argument: @uv 3_2_00991C00
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: lb64Iy4W4e.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: tohjyweui.exe, 00000001.00000003.314559627.000000001A6B0000.00000004.00001000.00020000.00000000.sdmp, tohjyweui.exe, 00000001.00000003.311976529.000000001A840000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tohjyweui.exe, 00000001.00000003.314559627.000000001A6B0000.00000004.00001000.00020000.00000000.sdmp, tohjyweui.exe, 00000001.00000003.311976529.000000001A840000.00000004.00001000.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B3406 push ecx; ret 1_2_009B3419
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009F8EBD push ecx; ret 1_2_009F8ED0
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009D8EBD push ecx; ret 3_2_009D8ED0
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_00993406 push ecx; ret 3_2_00993419
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B1C00 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Sleep,VirtualAlloc,__fread_nolock,#17,GetCommandLineW,lstrlenW,lstrlenW,lstrlenW,#169,ExitProcess,lstrlenW,lstrlenW,#141,lstrlenW,CLSIDFromString,#190,#88,#88,#6,#175,FreeLibrary, 1_2_009B1C00
Drops PE files
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe File created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe File created: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run luqajfoxt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run luqajfoxt Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe File opened: C:\Users\user\AppData\Local\Temp\tohjyweui.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe TID: 5536 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe TID: 5496 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe TID: 5512 Thread sleep time: -840000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Window / User API: threadDelayed 403 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Window / User API: foregroundWindowGot 835 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Window / User API: foregroundWindowGot 778 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe API coverage: 4.9 %
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_00600EBF GetSystemInfo, 1_2_00600EBF
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C42E3 FindFirstFileExW, 3_2_009C42E3
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C46CD FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_009C46CD
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B3171 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_009B3171
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B1C00 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Sleep,VirtualAlloc,__fread_nolock,#17,GetCommandLineW,lstrlenW,lstrlenW,lstrlenW,#169,ExitProcess,lstrlenW,lstrlenW,#141,lstrlenW,CLSIDFromString,#190,#88,#88,#6,#175,FreeLibrary, 1_2_009B1C00
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B18C0 MultiByteToWideChar,lstrlenW,GetProcessHeap,HeapAlloc,MultiByteToWideChar,GetThreadLocale,CompareStringW,GetProcessHeap,HeapFree, 1_2_009B18C0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009D9BCC mov ecx, dword ptr fs:[00000030h] 1_2_009D9BCC
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009E6DA6 mov eax, dword ptr fs:[00000030h] 1_2_009E6DA6
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_0060005F mov eax, dword ptr fs:[00000030h] 1_2_0060005F
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_0060017B mov eax, dword ptr fs:[00000030h] 1_2_0060017B
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_0060013E mov eax, dword ptr fs:[00000030h] 1_2_0060013E
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_00600109 mov eax, dword ptr fs:[00000030h] 1_2_00600109
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C6BBA mov eax, dword ptr fs:[00000030h] 3_2_009C6BBA
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C6BFD mov eax, dword ptr fs:[00000030h] 3_2_009C6BFD
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C6B77 mov eax, dword ptr fs:[00000030h] 3_2_009C6B77
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C6C58 mov eax, dword ptr fs:[00000030h] 3_2_009C6C58
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C6DA6 mov eax, dword ptr fs:[00000030h] 3_2_009C6DA6
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C6DD7 mov eax, dword ptr fs:[00000030h] 3_2_009C6DD7
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C6D1E mov eax, dword ptr fs:[00000030h] 3_2_009C6D1E
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009C6D62 mov eax, dword ptr fs:[00000030h] 3_2_009C6D62
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009B9BCC mov ecx, dword ptr fs:[00000030h] 3_2_009B9BCC
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B3171 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_009B3171
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B35EF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_009B35EF
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009DCE64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_009DCE64
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_00993306 SetUnhandledExceptionFilter, 3_2_00993306
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009BCE64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_009BCE64
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_00993171 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00993171
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: 3_2_009935EF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_009935EF

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\tohjyweui.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe C:\Users\user\AppData\Local\Temp\tohjyweui.exe Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: EnumSystemLocalesW, 3_2_009BE0EA
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: EnumSystemLocalesW, 3_2_009BE22B
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: EnumSystemLocalesW, 3_2_009BE265
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: GetLocaleInfoW, 3_2_009BEB90
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_009C94F3
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: EnumSystemLocalesW, 3_2_009C9795
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: EnumSystemLocalesW, 3_2_009C97FE
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: EnumSystemLocalesW, 3_2_009C9899
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_009C9924
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: GetLocaleInfoW, 3_2_009C9B77
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_009C9CA0
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: GetLocaleInfoW, 3_2_009C9DA6
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_009C9E75
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B341B cpuid 1_2_009B341B
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe Code function: 1_2_009B3046 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_009B3046
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Nanocore Rat
Source: tohjyweui.exe, 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 799403 Sample: lb64Iy4W4e.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 35 alertt.duckdns.org 2->35 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 5 other signatures 2->51 8 lb64Iy4W4e.exe 19 2->8         started        11 tpyienirbwgp.exe 2->11         started        14 tpyienirbwgp.exe 2->14         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\tohjyweui.exe, PE32 8->31 dropped 16 tohjyweui.exe 1 2 8->16         started        55 Multi AV Scanner detection for dropped file 11->55 20 WerFault.exe 3 10 11->20         started        22 WerFault.exe 10 14->22         started        signatures6 process7 file8 29 C:\Users\user\AppData\...\tpyienirbwgp.exe, PE32 16->29 dropped 39 Multi AV Scanner detection for dropped file 16->39 41 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->41 43 Maps a DLL or memory area into another process 16->43 24 tohjyweui.exe 11 16->24         started        signatures9 process10 dnsIp11 37 alertt.duckdns.org 45.132.106.37, 49701, 49702, 49703 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 24->37 33 C:\Users\user\AppData\Roaming\...\run.dat, data 24->33 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->53 file12 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.132.106.37
 alertt.duckdns.org Ukraine
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL true

Contacted Domains

Name IP Active
alertt.duckdns.org 45.132.106.37 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
alertt.duckdns.org true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown