Loading ...

Play interactive tourEdit tour

Analysis Report ScaNovatech20040.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:220446
Start date:06.04.2020
Start time:12:54:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ScaNovatech20040.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.troj.spyw.evad.winEXE@18/3@7/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 24.8% (good quality ratio 11.2%)
  • Quality average: 26.4%
  • Quality standard deviation: 34.1%
HCA Information:
  • Successful, ratio: 84%
  • Number of executed functions: 86
  • Number of non-executed functions: 18
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 8.248.113.254, 8.253.95.249, 67.26.73.254, 67.26.81.254, 67.27.157.126, 93.184.221.240, 2.20.143.23, 2.20.143.16, 67.27.159.254, 67.27.159.126, 8.248.121.254, 67.26.139.254, 8.253.204.121
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold920 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111Registry Run Keys / Startup Folder11Process Injection11Masquerading1Credential Dumping1Virtualization/Sandbox Evasion13Application Deployment SoftwareEmail Collection1Data CompressedUncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting11Port MonitorsAccessibility FeaturesDisabling Security Tools1Input Capture1Process Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumStandard Cryptographic Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion13Input CaptureSecurity Software Discovery21Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection11Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol12SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessScripting11Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Information Discovery114Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: https://www.tagmakers-trade.co.uk/ALL9mode_encrypted_237CF20.binVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: ScaNovatech20040.exeVirustotal: Detection: 56%Perma Link
Source: ScaNovatech20040.exeReversingLabs: Detection: 29%

Networking:

barindex
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: remcozy.duckdns.org
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49744 -> 185.103.96.151:45131
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.tagmakers-trade.co.uk
Urls found in memory or binary dataShow sources
Source: ScaNovatech20040.exe, 00000000.00000002.1092674725.0000000004800000.00000040.00000001.sdmp, ScaNovatech20040.exe, 00000003.00000002.886430130.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://www.tagmakers-trade.co.uk/ALL9mode_encrypted_237CF20.bin
Source: ScaNovatech20040.exe, 00000000.00000002.1092674725.0000000004800000.00000040.00000001.sdmp, ScaNovatech20040.exe, 00000003.00000002.886430130.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://www.tagmakers-trade.co.uk/Rainil7.exe
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: ScaNovatech20040.exe, 00000000.00000002.855575746.00000000005E0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480A0CE NtProtectVirtualMemory,0_2_0480A0CE
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_048034D7 NtWriteVirtualMemory,0_2_048034D7
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_048003B5 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_048003B5
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480A56F NtResumeThread,0_2_0480A56F
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480A685 NtResumeThread,0_2_0480A685
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04803690 NtWriteVirtualMemory,0_2_04803690
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480A89E NtResumeThread,0_2_0480A89E
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480A8B1 NtResumeThread,0_2_0480A8B1
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480AADC NtResumeThread,0_2_0480AADC
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04803CE5 NtWriteVirtualMemory,0_2_04803CE5
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04803808 NtWriteVirtualMemory,0_2_04803808
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480AE16 NtResumeThread,0_2_0480AE16
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04803993 NtWriteVirtualMemory,0_2_04803993
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480A9CB NtResumeThread,0_2_0480A9CB
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480B1E2 NtResumeThread,0_2_0480B1E2
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480ABF2 NtResumeThread,0_2_0480ABF2
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480AD04 NtResumeThread,0_2_0480AD04
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04803506 NtWriteVirtualMemory,0_2_04803506
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480051B NtSetInformationThread,TerminateProcess,0_2_0480051B
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04803B49 NtWriteVirtualMemory,0_2_04803B49
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480AF66 NtResumeThread,0_2_0480AF66
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480A578 NtResumeThread,0_2_0480A578
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_0056A0CE NtProtectVirtualMemory,3_2_0056A0CE
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_005603B5 EnumWindows,NtSetInformationThread,TerminateProcess,3_2_005603B5
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_0056051B NtSetInformationThread,TerminateProcess,3_2_0056051B
Sample file is different than original file name gathered from version infoShow sources
Source: ScaNovatech20040.exe, 00000000.00000000.738463862.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamespill.exe vs ScaNovatech20040.exe
Source: ScaNovatech20040.exe, 00000000.00000002.862191186.0000000002A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ScaNovatech20040.exe
Source: ScaNovatech20040.exe, 00000003.00000002.911991329.0000000002318000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamespill.exe vs ScaNovatech20040.exe
Source: ScaNovatech20040.exe, 00000003.00000002.1009616291.000000001EFB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ScaNovatech20040.exe
Source: ScaNovatech20040.exe, 00000003.00000002.911177143.0000000000800000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs ScaNovatech20040.exe
Source: ScaNovatech20040.exe, 00000003.00000002.1010113344.000000001F0B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ScaNovatech20040.exe
Source: ScaNovatech20040.exe, 00000003.00000002.1010113344.000000001F0B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ScaNovatech20040.exe
Source: ScaNovatech20040.exe, 00000003.00000002.911914163.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs ScaNovatech20040.exe
Source: ScaNovatech20040.exeBinary or memory string: OriginalFilenamespill.exe vs ScaNovatech20040.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@18/3@7/3
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeFile created: C:\Users\user\endeballeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:120:WilError_01
Source: C:\Users\user\endeballe\Scrawlers.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-P7T31F
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\endeballe\Scrawlers.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: ScaNovatech20040.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Rainil7.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: ScaNovatech20040.exeVirustotal: Detection: 56%
Source: ScaNovatech20040.exeReversingLabs: Detection: 29%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeFile read: C:\Users\user\Desktop\ScaNovatech20040.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\ScaNovatech20040.exe 'C:\Users\user\Desktop\ScaNovatech20040.exe'
Source: unknownProcess created: C:\Users\user\Desktop\ScaNovatech20040.exe 'C:\Users\user\Desktop\ScaNovatech20040.exe'
Source: unknownProcess created: C:\Users\user\Rainil7.exe 'C:\Users\user\Rainil7.exe'
Source: unknownProcess created: C:\Users\user\endeballe\Scrawlers.exe 'C:\Users\user\endeballe\Scrawlers.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\endeballe\Scrawlers.vbs'
Source: unknownProcess created: C:\Users\user\endeballe\Scrawlers.exe C:\Users\user\endeballe\Scrawlers.exe
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\endeballe\Scrawlers.vbs'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Rainil7.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\endeballe\Scrawlers.exe C:\Users\user\endeballe\Scrawlers.exe
Source: unknownProcess created: C:\Users\user\endeballe\Scrawlers.exe 'C:\Users\user\endeballe\Scrawlers.exe'
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess created: C:\Users\user\Desktop\ScaNovatech20040.exe 'C:\Users\user\Desktop\ScaNovatech20040.exe' Jump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess created: C:\Users\user\Rainil7.exe 'C:\Users\user\Rainil7.exe' Jump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess created: C:\Users\user\endeballe\Scrawlers.exe 'C:\Users\user\endeballe\Scrawlers.exe' Jump to behavior
Source: C:\Users\user\Rainil7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Rainil7.exe' Jump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess created: C:\Users\user\endeballe\Scrawlers.exe 'C:\Users\user\endeballe\Scrawlers.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\endeballe\Scrawlers.exe C:\Users\user\endeballe\Scrawlers.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\endeballe\Scrawlers.exe C:\Users\user\endeballe\Scrawlers.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_004088FB push edx; retf 0_2_004088FE
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0040E8AE push esi; retf 0_2_0040E8B1
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0040F356 push edx; ret 0_2_0040F35A
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0040A398 push ecx; iretd 0_2_0040A39A
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0040D1AA push ecx; retf 0_2_0040D1B2
Source: C:\Users\user\Rainil7.exeCode function: 4_2_0040F11D push edx; ret 4_2_0040F11E
Source: C:\Users\user\Rainil7.exeCode function: 4_2_004059EA push cs; retf 4_2_004059F4
Source: C:\Users\user\Rainil7.exeCode function: 4_2_00406DF4 push cs; retf 4_2_00406DFC
Source: C:\Users\user\Rainil7.exeCode function: 4_2_00413E19 pushad ; retf 4_2_00413E2C
Source: C:\Users\user\Rainil7.exeCode function: 4_2_0040DA39 push ds; ret 4_2_0040DA7B
Source: C:\Users\user\Rainil7.exeCode function: 4_2_0040EF66 push ecx; ret 4_2_0040EFA7
Source: C:\Users\user\Rainil7.exeCode function: 4_2_004083A1 push ebx; ret 4_2_004083A2

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Neurony C:\Users\user\endeballe\Scrawlers.vbsJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Neurony C:\Users\user\endeballe\Scrawlers.vbsJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NeuronyJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NeuronyJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NeuronyJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NeuronyJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Rainil7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Rainil7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Rainil7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1124Thread sleep time: -45000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2284Thread sleep time: -922337203685477s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\endeballe\Scrawlers.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_048003B5 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000000_2_048003B5
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Rainil7.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeThread information set: HideFromDebuggerJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04804ABA LdrInitializeThunk,0_2_04804ABA
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04801C0E mov eax, dword ptr fs:[00000030h]0_2_04801C0E
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_0480427E mov eax, dword ptr fs:[00000030h]0_2_0480427E
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04802BB6 mov eax, dword ptr fs:[00000030h]0_2_04802BB6
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_048081D5 mov eax, dword ptr fs:[00000030h]0_2_048081D5
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_048097D7 mov eax, dword ptr fs:[00000030h]0_2_048097D7
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_048089F4 mov eax, dword ptr fs:[00000030h]0_2_048089F4
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 0_2_04802747 mov eax, dword ptr fs:[00000030h]0_2_04802747
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_0056427E mov eax, dword ptr fs:[00000030h]3_2_0056427E
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_00561C0E mov eax, dword ptr fs:[00000030h]3_2_00561C0E
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_00562747 mov eax, dword ptr fs:[00000030h]3_2_00562747
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_005697D7 mov eax, dword ptr fs:[00000030h]3_2_005697D7
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_005681D5 mov eax, dword ptr fs:[00000030h]3_2_005681D5
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_005689F4 mov eax, dword ptr fs:[00000030h]3_2_005689F4
Source: C:\Users\user\Desktop\ScaNovatech20040.exeCode function: 3_2_00562BB6 mov eax, dword ptr fs:[00000030h]3_2_00562BB6
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess created: C:\Users\user\Desktop\ScaNovatech20040.exe 'C:\Users\user\Desktop\ScaNovatech20040.exe' Jump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess created: C:\Users\user\Rainil7.exe 'C:\Users\user\Rainil7.exe' Jump to behavior
Source: C:\Users\user\Desktop\ScaNovatech20040.exeProcess created: C:\Users\user\endeballe\Scrawlers.exe 'C:\Users\user\endeballe\Scrawlers.exe' Jump to behavior
Source: C:\Users\user\Rainil7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Rainil7.exe' Jump to behavior
Source: C:\Users\user\endeballe\Scrawlers.exeProcess created: C:\Users\user\endeballe\Scrawlers.exe 'C:\Users\user\endeballe\Scrawlers.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\endeballe\Scrawlers.exe C:\Users\user\endeballe\Scrawlers.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\endeballe\Scrawlers.exe C:\Users\user\endeballe\Scrawlers.exeJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 220446 Sample: ScaNovatech20040.exe Startdate: 06/04/2020 Architecture: WINDOWS Score: 92 42 www.tagmakers-trade.co.uk 2->42 44 smtp.zellico.com 2->44 46 2 other IPs or domains 2->46 60 Multi AV Scanner detection for domain / URL 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Sigma detected: Remcos 2->64 66 Uses dynamic DNS services 2->66 10 ScaNovatech20040.exe 1 1 2->10         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        signatures3 process4 signatures5 70 Creates autostart registry keys with suspicious values (likely registry only malware) 10->70 72 Hides threads from debuggers 10->72 74 Contains functionality to hide a thread from the debugger 10->74 17 ScaNovatech20040.exe 12 10->17         started        21 Scrawlers.exe 13->21         started        23 Scrawlers.exe 15->23         started        process6 dnsIp7 38 www.tagmakers-trade.co.uk 17->38 40 tagmakers-trade.co.uk 95.154.210.2, 443, 49740, 49743 unknown United Kingdom 17->40 58 Hides threads from debuggers 17->58 25 Rainil7.exe 17->25         started        28 Scrawlers.exe 1 17->28         started        signatures8 process9 signatures10 68 Hides threads from debuggers 25->68 30 RegAsm.exe 11 25->30         started        34 Scrawlers.exe 2 7 28->34         started        process11 dnsIp12 48 www.tagmarket.co.uk 30->48 50 tagmarket.co.uk 95.154.210.72, 443, 49741, 49742 unknown United Kingdom 30->50 76 Tries to steal Mail credentials (via file access) 30->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 30->78 80 Tries to harvest and steal browser information (history, passwords, etc) 30->80 36 conhost.exe 30->36         started        52 remcozy.duckdns.org 185.103.96.151, 45131, 49744, 49745 unknown United Kingdom 34->52 54 www.tagmakers-trade.co.uk 34->54 56 tagmakers-trade.co.uk 34->56 82 Hides threads from debuggers 34->82 signatures13 process14

Simulations

Behavior and APIs

TimeTypeDescription
12:55:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Neurony C:\Users\user\endeballe\Scrawlers.vbs
12:56:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Neurony C:\Users\user\endeballe\Scrawlers.vbs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ScaNovatech20040.exe57%VirustotalBrowse
ScaNovatech20040.exe30%ReversingLabsWin32.Malware.Kryptik

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
tagmakers-trade.co.uk0%VirustotalBrowse
tagmarket.co.uk0%VirustotalBrowse
remcozy.duckdns.org0%VirustotalBrowse
www.tagmakers-trade.co.uk1%VirustotalBrowse
smtp.zellico.com3%VirustotalBrowse<