Loading ...

Play interactive tourEdit tour

Analysis Report T XXXVIS.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:204734
Start date:30.01.2020
Start time:22:37:59
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:T XXXVIS.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@16/18@2/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 34.5% (good quality ratio 32.2%)
  • Quality average: 80.6%
  • Quality standard deviation: 27.4%
HCA Information:
  • Successful, ratio: 78%
  • Number of executed functions: 80
  • Number of non-executed functions: 56
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 104.101.100.69, 104.74.123.50
  • Excluded domains from analysis (whitelisted): e5684.g.akamaiedge.net, fs.microsoft.com, e1723.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation511Winlogon Helper DLLAccess Token Manipulation1Software Packing1Credential DumpingSystem Time Discovery1Remote File Copy1Data from Local SystemData Encrypted11Remote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaRundll321Port MonitorsProcess Injection111Disabling Security Tools1Network SniffingSecurity Software Discovery511Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API11Accessibility FeaturesPath InterceptionRundll321Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface2System FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesSystem Information Discovery117Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationVirtualization/Sandbox Evasion33Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading1Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion33Two-Factor Authentication InterceptionSystem Network Configuration Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection111Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationDLL Side-Loading1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/URL Reputation: Label: malware
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.dllAvira: detection malicious, Label: HEUR/AGEN.1019596
Source: C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.dllAvira: detection malicious, Label: HEUR/AGEN.1019596
Found malware configurationShow sources
Source: RegAsm.exe.6008.10.memstrMalware Configuration Extractor: HawkEye {"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: http://pomf.cat/upload.phpVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: T XXXVIS.exeVirustotal: Detection: 21%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpackAvira: Label: TR/Dropper.Gen
Source: 10.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_009B2DAE

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_009B21E7

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: RegAsm.exe, 0000000A.00000003.788298030.0000000004AE5000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 0000000A.00000003.788298030.0000000004AE5000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: bot.whatismyipaddress.com
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 0000000A.00000002.804223027.00000000032EB000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
Source: RegAsm.exe, 0000000A.00000002.803968969.000000000327D000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.804223027.00000000032EB000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: RegAsm.exe, 0000000A.00000002.804223027.00000000032EB000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com4k
Source: RegAsm.exe, 0000000A.00000002.803968969.000000000327D000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: DWFgZgrOiynVCqUWma5.exe, 00000001.00000002.801931999.0000000005759000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.801834651.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 0000000A.00000002.803968969.000000000327D000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: DWFgZgrOiynVCqUWma5.exe, 00000001.00000002.788298028.0000000002E10000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.804223027.00000000032EB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000000A.00000003.788298030.0000000004AE5000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: RegAsm.exe, 0000000A.00000002.803968969.000000000327D000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000001.00000002.801931999.0000000005759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.801834651.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.802340940.0000000005CF2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.791565356.0000000004688000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: DWFgZgrOiynVCqUWma5.exe PID: 5772, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6008, type: MEMORY
Source: Yara matchFile source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000001.00000002.801931999.0000000005759000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000A.00000002.801834651.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.802340940.0000000005CF2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000A.00000002.807663289.0000000007BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000002.791565356.0000000004688000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DWFgZgrOiynVCqUWma5.exe PID: 5772, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6008, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 10.2.RegAsm.exe.7bf0000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 10.2.RegAsm.exe.7bf0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeCode function: 1_2_05391C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,1_2_05391C09
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeCode function: 1_2_053900AD NtOpenSection,NtMapViewOfSection,1_2_053900AD
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_009B1DC7
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B5B880_2_009B5B88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeCode function: 1_2_00B844DB1_2_00B844DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179106110_2_01791061
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179A0A810_2_0179A0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179D27010_2_0179D270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179045F10_2_0179045F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179693D10_2_0179693D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179C98010_2_0179C980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_01799B8810_2_01799B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_01790C0010_2_01790C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_01793CB210_2_01793CB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_017971F010_2_017971F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_017971E010_2_017971E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179904010_2_01799040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179A0B810_2_0179A0B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_017933C010_2_017933C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_017933B010_2_017933B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_017943A810_2_017943A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179439810_2_01794398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179820010_2_01798200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179C63010_2_0179C630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_017928E810_2_017928E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_017928D810_2_017928D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_01799B7810_2_01799B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179DB0810_2_0179DB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179DBE510_2_0179DBE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_01790BDD10_2_01790BDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0179DAF810_2_0179DAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_01793F9010_2_01793F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_01793F8010_2_01793F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_06004D8810_2_06004D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0600140110_2_06001401
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0600144010_2_06001440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0600146810_2_06001468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_06004D7810_2_06004D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_06007AB910_2_06007AB9
PE file contains executable resources (Code or Archives)Show sources
Source: T XXXVIS.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 570240 bytes, 2 files
PE file contains strange resourcesShow sources
Source: T XXXVIS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DWFgZgrOiynVCqUWma5.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functionsShow sources
Source: bcqosp40.dll.6.drStatic PE information: No import functions for PE file found
Source: tojvddq4.dll.3.drStatic PE information: No import functions for PE file found
Sample file is different than original file name gathered from version infoShow sources
Source: T XXXVIS.exeBinary or memory string: OriginalFilename vs T XXXVIS.exe
Source: T XXXVIS.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUIF vs T XXXVIS.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
Yara signature matchShow sources
Source: 00000001.00000002.801931999.0000000005759000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.801834651.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.802340940.0000000005CF2000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.807663289.0000000007BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000002.791565356.0000000004688000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: DWFgZgrOiynVCqUWma5.exe PID: 5772, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 6008, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 10.2.RegAsm.exe.7bf0000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 10.2.RegAsm.exe.7bf0000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 10.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegAsm.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 10.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.RegAsm.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 10.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 10.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 10.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 10.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@16/18@2/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_009B5849
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_009B1DC7
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_009B5849
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B4E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,0_2_009B4E80
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DWFgZgrOiynVCqUWma5.exe.logJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\cc4210e4-190c-4792-ba02-7ae07a359660
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCommand line argument: Kernel32.dll0_2_009B2A7E
PE file has an executable .text section and no other executable sectionShow sources
Source: T XXXVIS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Reads software policiesShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\'
Sample is known by AntivirusShow sources
Source: T XXXVIS.exeVirustotal: Detection: 21%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\T XXXVIS.exe 'C:\Users\user\Desktop\T XXXVIS.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.cmdline'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D08.tmp' 'c:\Users\user\AppData\Local\Temp\tojvddq4\CSC46102027C6FD4178A536C487A4F9921A.TMP'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.cmdline'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB275.tmp' 'c:\Users\user\AppData\Local\Temp\bcqosp40\CSCC568EBC44D9640B880A9173C916B71B0.TMP'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\T XXXVIS.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.cmdline'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.cmdline'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D08.tmp' 'c:\Users\user\AppData\Local\Temp\tojvddq4\CSC46102027C6FD4178A536C487A4F9921A.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB275.tmp' 'c:\Users\user\AppData\Local\Temp\bcqosp40\CSCC568EBC44D9640B880A9173C916B71B0.TMP'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: T XXXVIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T XXXVIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T XXXVIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T XXXVIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T XXXVIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T XXXVIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: T XXXVIS.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: T XXXVIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: wextract.pdb source: T XXXVIS.exe
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000003.00000002.761666404.0000000001000000.00000002.00000001.sdmp, csc.exe, 00000006.00000002.780906809.00000000057A0000.00000002.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegAsm.exe, 0000000A.00000003.788298030.0000000004AE5000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 0000000A.00000003.788298030.0000000004AE5000.00000004.00000001.sdmp
Source: Binary string: k8C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.pdb- source: DWFgZgrOiynVCqUWma5.exe, 00000001.00000002.788793797.0000000002FA6000.00000004.00000001.sdmp
Source: Binary string: wextract.pdbPp source: T XXXVIS.exe
Source: Binary string: k8C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.pdb source: DWFgZgrOiynVCqUWma5.exe, 00000001.00000002.788793797.0000000002FA6000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected MSIL_Load_Encrypted_AssemblyShow sources
Source: Yara matchFile source: DWFgZgrOiynVCqUWm, type: SAMPLE
Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exe, type: DROPPED
Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.0.cs, type: DROPPED
Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.0.cs, type: DROPPED
Compiles C# or VB.Net codeShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.cmdline'
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.cmdline'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.cmdline'Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_009B2DAE
PE file contains an invalid checksumShow sources
Source: T XXXVIS.exeStatic PE information: real checksum: 0x9a92f should be: 0xa8e1e
Source: DWFgZgrOiynVCqUWma5.exe.0.drStatic PE information: real checksum: 0x13ee6 should be: 0x26c221
Source: bcqosp40.dll.6.drStatic PE information: real checksum: 0x0 should be: 0x18b8cf
Source: tojvddq4.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x188f0e
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B78A1 push ecx; ret 0_2_009B78B4

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.dllJump to dropped file
Source: C:\Users\user\Desktop\T XXXVIS.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeJump to dropped file
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B1910 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_009B1910

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6008, type: MEMORY
Queries memory information (via WMI often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Capacity FROM Win32_PhysicalMemory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT SystemBiosMajorVersion FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT SystemBiosMinorVersion FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ReleaseDate FROM Win32_BIOS
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Capacity FROM Win32_PhysicalMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Caption FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: RegAsm.exe, 0000000A.00000002.803968969.000000000327D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 0000000A.00000002.803968969.000000000327D000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.dllJump to dropped file
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exe TID: 5808Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6048Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6028Thread sleep time: -922337203685477s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_009B21E7
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B532F GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_009B532F
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: DWFgZgrOiynVCqUWma5.exe, 00000001.00000002.799778802.00000000052F0000.00000004.00000001.sdmpBinary or memory string: TQEMUx
Source: RegAsm.exe, 0000000A.00000002.807020205.0000000006250000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 0000000A.00000002.807020205.0000000006250000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 0000000A.00000002.807020205.0000000006250000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 0000000A.00000002.806510209.0000000005F00000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 0000000A.00000002.807020205.0000000006250000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_009B2DAE
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeCode function: 1_2_053900AD mov ecx, dword ptr fs:[00000030h]1_2_053900AD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeCode function: 1_2_053900AD mov eax, dword ptr fs:[00000030h]1_2_053900AD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeCode function: 1_2_053901CB mov eax, dword ptr fs:[00000030h]1_2_053901CB
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B7360 SetUnhandledExceptionFilter,0_2_009B7360
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B6C35 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009B6C35
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 10.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeSection loaded: unknown target pid: 6008 protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.cmdline'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.cmdline'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D08.tmp' 'c:\Users\user\AppData\Local\Temp\tojvddq4\CSC46102027C6FD4178A536C487A4F9921A.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB275.tmp' 'c:\Users\user\AppData\Local\Temp\bcqosp40\CSCC568EBC44D9640B880A9173C916B71B0.TMP'Jump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B16B6 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,0_2_009B16B6

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B75A8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_009B75A8
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\T XXXVIS.exeCode function: 0_2_009B2A7E GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,0_2_009B2A7E
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000001.00000002.801931999.0000000005759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.801834651.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.802340940.0000000005CF2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.791565356.0000000004688000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: DWFgZgrOiynVCqUWma5.exe PID: 5772, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6008, type: MEMORY
Source: Yara matchFile source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected WebBrowserPassView password recovery toolShow sources
Source: Yara matchFile source: 0000000A.00000003.788298030.0000000004AE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.807663289.0000000007BF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6008, type: MEMORY
Source: Yara matchFile source: 10.2.RegAsm.exe.7bf0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.RegAsm.exe.7bf0000.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye RatShow sources
Source: DWFgZgrOiynVCqUWma5.exe, 00000001.00000002.801931999.0000000005759000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 0000000A.00000002.801834651.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000001.00000002.801931999.0000000005759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.801834651.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.802340940.0000000005CF2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.791565356.0000000004688000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: DWFgZgrOiynVCqUWma5.exe PID: 5772, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6008, type: MEMORY
Source: Yara matchFile source: 1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Malware Configuration

Threatname: HawkEye

{"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 204734 Sample: T XXXVIS.exe Startdate: 30/01/2020 Architecture: WINDOWS Score: 100 47 site-cdn.onenote.net 2->47 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 12 other signatures 2->57 9 T XXXVIS.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 file5 39 C:\Users\user\...\DWFgZgrOiynVCqUWma5.exe, PE32 9->39 dropped 14 DWFgZgrOiynVCqUWma5.exe 15 9->14         started        process6 file7 41 C:\Users\user\AppData\...\tojvddq4.cmdline, UTF-8 14->41 dropped 43 C:\Users\user\AppData\Local\...\tojvddq4.0.cs, UTF-8 14->43 dropped 45 C:\Users\user\AppData\Local\...\bcqosp40.0.cs, UTF-8 14->45 dropped 67 Antivirus detection for dropped file 14->67 69 Machine Learning detection for dropped file 14->69 71 Maps a DLL or memory area into another process 14->71 18 RegAsm.exe 15 4 14->18         started        22 csc.exe 3 14->22         started        25 csc.exe 3 14->25         started        signatures8 process9 dnsIp10 49 bot.whatismyipaddress.com 66.171.248.178, 49704, 80 unknown United States 18->49 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->59 61 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 18->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->63 65 2 other signatures 18->65 35 C:\Users\user\AppData\Local\...\tojvddq4.dll, PE32 22->35 dropped 27 cvtres.exe 1 22->27         started        29 conhost.exe 22->29         started        37 C:\Users\user\AppData\Local\...\bcqosp40.dll, PE32 25->37 dropped 31 cvtres.exe 1 25->31         started        33 conhost.exe 25->33         started        file11 signatures12 process13

Simulations

Behavior and APIs

TimeTypeDescription
22:40:16API Interceptor2x Sleep call for process: RegAsm.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
T XXXVIS.exe21%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\bcqosp40\bcqosp40.dll100%AviraHEUR/AGEN.1019596
C:\Users\user\AppData\Local\Temp\tojvddq4\tojvddq4.dll100%AviraHEUR/AGEN.1019596
C:\Users\user\AppData\Local\Temp\IXP000.TMP\DWFgZgrOiynVCqUWma5.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.DWFgZgrOiynVCqUWma5.exe.5cf0000.4.unpack100%AviraTR/Dropper.GenDownload File
10.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

SourceDetectionScannerLabelLink
site-cdn.onenote.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://bot.whatismyipaddress.com4k0%Avira URL Cloudsafe
https://a.pomf.cat/4%VirustotalBrowse
https://a.pomf.cat/100%URL Reputationmalware
http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
http://pomf.cat/upload.php7%VirustotalBrowse
http://pomf.cat/upload.php0%Avira URL Cloudsafe
http://pomf.cat/upload.phpCContent-Disposition:0%Avira URL Cloudsafe