Windows Analysis Report
tems.exe

Overview

General Information

Sample name: tems.exe
Analysis ID: 1428831
MD5: 6b3fa7db5c683ef540f54032a6e66969
SHA1: 7f67b47a196163d7c4a5827c944fb8b45e30aef0
SHA256: 71aebecb72a2f1da69501437a4f77de95eac842a4439df68e66bf2a792c0d5d6
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.tems.exe.1690000.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}
Multi AV Scanner detection for submitted file
Source: tems.exe ReversingLabs: Detection: 44%
Machine Learning detection for sample
Source: tems.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: tems.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: RegSvcs.pdb, source: newfile.exe, 00000002.00000000.1818277065.0000000000252000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.1.dr
Source: Binary string: wntdll.pdbUGP source: tems.exe, 00000000.00000003.1687911775.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, tems.exe, 00000000.00000003.1688402448.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tems.exe, 00000000.00000003.1687911775.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, tems.exe, 00000000.00000003.1688402448.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: newfile.exe, 00000002.00000000.1818277065.0000000000252000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.1.dr
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D64696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00D64696
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00D6C9C7
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6C93C FindFirstFileW,FindClose, 0_2_00D6C93C
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00D6F200
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00D6F35D
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00D6F65E
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D63A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00D63A2B
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D63D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00D63D4E
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00D6BF27

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tems.exe.1690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 114.142.162.17:26
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 114.142.162.17 114.142.162.17
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D725E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00D725E2
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: ip-api.com
Source: RegSvcs.exe, 00000001.00000002.2937483921.0000000002891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: tems.exe, 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2937483921.0000000002891000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000001.00000002.2936705010.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hostinggv
Source: RegSvcs.exe, 00000001.00000002.2937483921.00000000028F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.cash4cars.nz
Source: RegSvcs.exe, 00000001.00000002.2937483921.0000000002891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tems.exe, 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.tems.exe.1690000.1.raw.unpack, cPKWk.cs .Net Code: hZd2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D7425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00D7425A
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D74458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00D74458
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D7425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00D7425A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D60219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00D60219
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D8CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00D8CDAC

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.tems.exe.1690000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.tems.exe.1690000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\tems.exe Code function: This is a third-party compiled AutoIt script. 0_2_00D03B4C
Source: tems.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: tems.exe, 00000000.00000002.1689349855.0000000000DB5000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_16a35bf3-9
Source: tems.exe, 00000000.00000002.1689349855.0000000000DB5000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_0e4cfcc4-0
Source: tems.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8a820989-c
Source: tems.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f484a925-e
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D640B1: CreateFileW,_memset,DeviceIoControl,CloseHandle, 0_2_00D640B1
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D58858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00D58858
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00D6545F
Detected potential crypto function
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D0E800 0_2_00D0E800
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2DBB5 0_2_00D2DBB5
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D8804A 0_2_00D8804A
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D0E060 0_2_00D0E060
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D14140 0_2_00D14140
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D22405 0_2_00D22405
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D36522 0_2_00D36522
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D3267E 0_2_00D3267E
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D80665 0_2_00D80665
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D16843 0_2_00D16843
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2283A 0_2_00D2283A
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D389DF 0_2_00D389DF
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D80AE2 0_2_00D80AE2
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D36A94 0_2_00D36A94
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D18A0E 0_2_00D18A0E
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D68B13 0_2_00D68B13
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D5EB07 0_2_00D5EB07
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2CD61 0_2_00D2CD61
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D37006 0_2_00D37006
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D13190 0_2_00D13190
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D1710E 0_2_00D1710E
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D01287 0_2_00D01287
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D233C7 0_2_00D233C7
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2F419 0_2_00D2F419
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D216C4 0_2_00D216C4
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D15680 0_2_00D15680
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D278D3 0_2_00D278D3
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D158C0 0_2_00D158C0
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D21BB8 0_2_00D21BB8
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D39D05 0_2_00D39D05
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D0FE40 0_2_00D0FE40
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D21FD0 0_2_00D21FD0
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2BFE6 0_2_00D2BFE6
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_01683690 0_2_01683690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DF4AD0 1_2_00DF4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DFD230 1_2_00DFD230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DF3EB8 1_2_00DF3EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DF4200 1_2_00DF4200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_06178788 1_2_06178788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_061732D0 1_2_061732D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0617B380 1_2_0617B380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_06170040 1_2_06170040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_06179BF0 1_2_06179BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0617E830 1_2_0617E830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_06175910 1_2_06175910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_06170006 1_2_06170006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_06178EF0 1_2_06178EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0617ACA0 1_2_0617ACA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\tems.exe Code function: String function: 00D07F41 appears 35 times
Source: C:\Users\user\Desktop\tems.exe Code function: String function: 00D28B40 appears 42 times
Source: C:\Users\user\Desktop\tems.exe Code function: String function: 00D20D27 appears 70 times
Sample file is different than original file name gathered from version info
Source: tems.exe, 00000000.00000003.1688030121.000000000420D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs tems.exe
Source: tems.exe, 00000000.00000003.1687911775.0000000004063000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs tems.exe
Source: tems.exe, 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename5c6f5efb-7c76-4283-af3e-eb17be5e53b7.exe4 vs tems.exe
Uses 32bit PE files
Source: tems.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.tems.exe.1690000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.tems.exe.1690000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.tems.exe.1690000.1.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tems.exe.1690000.1.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tems.exe.1690000.1.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tems.exe.1690000.1.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.tems.exe.1690000.1.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tems.exe.1690000.1.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.tems.exe.1690000.1.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tems.exe.1690000.1.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/8@2/2
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6A2D5 GetLastError,FormatMessageW, 0_2_00D6A2D5
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D58713 AdjustTokenPrivileges,CloseHandle, 0_2_00D58713
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D58CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00D58CC3
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00D6B59E
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D7F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00D7F121
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D786D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 0_2_00D786D0
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D04FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00D04FE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\newfile Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Users\user\Desktop\tems.exe File created: C:\Users\user\AppData\Local\Temp\autA2F3.tmp Jump to behavior
Source: tems.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tems.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\tems.exe "C:\Users\user\Desktop\tems.exe"
Source: C:\Users\user\Desktop\tems.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tems.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tems.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tems.exe" Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: tems.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tems.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tems.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tems.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tems.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tems.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: tems.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: RegSvcs.pdb, source: newfile.exe, 00000002.00000000.1818277065.0000000000252000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.1.dr
Source: Binary string: wntdll.pdbUGP source: tems.exe, 00000000.00000003.1687911775.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, tems.exe, 00000000.00000003.1688402448.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tems.exe, 00000000.00000003.1687911775.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, tems.exe, 00000000.00000003.1688402448.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: newfile.exe, 00000002.00000000.1818277065.0000000000252000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.1.dr
Source: tems.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: tems.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: tems.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: tems.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: tems.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D7C304 LoadLibraryA,GetProcAddress, 0_2_00D7C304
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D68719 push FFFFFF8Bh; iretd 0_2_00D6871B
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2E94F push edi; ret 0_2_00D2E951
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2EA68 push esi; ret 0_2_00D2EA6A
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D28B85 push ecx; ret 0_2_00D28B98
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2EC43 push esi; ret 0_2_00D2EC45
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2ED2C push edi; ret 0_2_00D2ED2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DFE67C pushad ; retf 1_2_00DFE67D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DFE7E7 pushad ; retf 1_2_00DFE7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DFE79B pushad ; retf 1_2_00DFE79C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DFE87F pushad ; retf 1_2_00DFE880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DFE833 pushad ; retf 1_2_00DFE834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DFE93D pushad ; retf 1_2_00DFE93E
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00D04A35
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D855FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00D855FD
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D233C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00D233C7
Source: C:\Users\user\Desktop\tems.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: tems.exe PID: 7320, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: tems.exe, 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 7B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 24E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: AB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 1190000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 2BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 29C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7589 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2262 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\tems.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\tems.exe API coverage: 4.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 7580 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 7916 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D64696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00D64696
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00D6C9C7
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6C93C FindFirstFileW,FindClose, 0_2_00D6C93C
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00D6F200
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00D6F35D
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00D6F65E
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D63A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00D63A2B
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D63D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00D63D4E
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D6BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00D6BF27
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00D04AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96605 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96388 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94810 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94702 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegSvcs.exe, 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: vmware
Source: RegSvcs.exe, 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: VMwareVBox
Source: RegSvcs.exe, 00000001.00000002.2939905808.0000000005BE9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\tems.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\tems.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00DF70B8 CheckRemoteDebuggerPresent, 1_2_00DF70B8
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D741FD BlockInput, 0_2_00D741FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00D03B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D35CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00D35CCC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D7C304 LoadLibraryA,GetProcAddress, 0_2_00D7C304
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_01683520 mov eax, dword ptr fs:[00000030h] 0_2_01683520
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_01683580 mov eax, dword ptr fs:[00000030h] 0_2_01683580
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_01681ED0 mov eax, dword ptr fs:[00000030h] 0_2_01681ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00D581F7
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00D2A395
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2A364 SetUnhandledExceptionFilter, 0_2_00D2A364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\tems.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\tems.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 662008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D58C93 LogonUserW, 0_2_00D58C93
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00D03B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00D04A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D64EC9 mouse_event, 0_2_00D64EC9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\tems.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tems.exe" Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00D581F7
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D64C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00D64C03
Source: tems.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: tems.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D2886B cpuid 0_2_00D2886B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00D350D7
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D42230 GetUserNameW, 0_2_00D42230
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D3418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00D3418A
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00D04AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tems.exe.1690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tems.exe.1690000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2937483921.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2937483921.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tems.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: tems.exe Binary or memory string: WIN_81
Source: tems.exe Binary or memory string: WIN_XP
Source: tems.exe Binary or memory string: WIN_XPe
Source: tems.exe Binary or memory string: WIN_VISTA
Source: tems.exe Binary or memory string: WIN_7
Source: tems.exe Binary or memory string: WIN_8
Source: tems.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Yara detected Credential Stealer
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tems.exe.1690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tems.exe.1690000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2937483921.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tems.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tems.exe.1690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tems.exe.1690000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2937483921.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2937483921.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tems.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D76596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00D76596
Source: C:\Users\user\Desktop\tems.exe Code function: 0_2_00D76A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00D76A5A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428831 Sample: tems.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 25 mail.cash4cars.nz 2->25 27 ip-api.com 2->27 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 7 tems.exe 4 2->7         started        10 newfile.exe 2 2->10         started        12 newfile.exe 1 2->12         started        signatures3 process4 signatures5 49 Binary is likely a compiled AutoIt script file 7->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->51 53 Writes to foreign memory regions 7->53 55 Maps a DLL or memory area into another process 7->55 14 RegSvcs.exe 16 4 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 29 mail.cash4cars.nz 114.142.162.17, 26 SERVERMULE-AS-APNimbus2PtyLtdAU Australia 14->29 31 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 14->31 23 C:\Users\user\AppData\Roaming\...\newfile.exe, PE32 14->23 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 Tries to steal Mail credentials (via file / registry access) 14->37 39 4 other signatures 14->39 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
114.142.162.17
 mail.cash4cars.nz Australia
133525 SERVERMULE-AS-APNimbus2PtyLtdAU true

Contacted Domains

Name IP Active
mail.cash4cars.nz 114.142.162.17 true
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
    		high