Loading ...

Play interactive tourEdit tour

Analysis Report Background.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:220941
Start date:07.04.2020
Start time:19:32:39
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 45s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Background.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:19
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.troj.evad.winEXE@12/3@87/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 208
  • Number of non-executed functions: 14
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, MusNotifyIcon.exe, conhost.exe, svchost.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 8.253.204.249, 67.27.159.126, 8.253.204.121, 67.27.157.254, 67.27.158.254, 216.58.207.78, 172.217.22.110, 92.123.22.235
  • Excluded domains from analysis (whitelisted): docs.google.com, e5684.g.akamaiedge.net, fs.microsoft.com, audownload.windowsupdate.nsatc.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, drive.google.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold920 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Hidden Files and Directories1Process Injection12Masquerading1Input Capture11Virtualization/Sandbox Evasion12Application Deployment SoftwareInput Capture11Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionRegistry Run Keys / Startup Folder1Accessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion12Credentials in FilesSecurity Software Discovery11Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection12Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Information Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: RegAsm.exe.4520.9.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["172.217.23.97"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.959961132.000000001FDB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.991888603.0000000021250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.991742937.0000000020250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4520, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2976, type: MEMORY

Networking:

barindex
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: oluwaboi.duckdns.org
Source: unknownDNS query: name: bb419.duckdns.org
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49712 -> 91.189.180.198:17120
Source: global trafficTCP traffic: 192.168.2.7:49715 -> 185.140.53.136:17120
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 172.217.23.97 172.217.23.97
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-0k-bc-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 00000004.00000003.1780692472.000000000166D000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.945241774.0000000001376000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000004.00000003.1033589837.00000000016A1000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.945241774.0000000001376000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: RegAsm.exe, 00000004.00000003.1709132502.00000000016B2000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.945241774.0000000001376000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000004.00000003.1033589837.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog
Source: RegAsm.exe, 00000004.00000003.1709132502.00000000016B2000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.945241774.0000000001376000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000004.00000003.1033589837.00000000016A1000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.945241774.0000000001376000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: RegAsm.exe, 00000004.00000003.1033589837.00000000016A1000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.945241774.0000000001376000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000004.00000003.1090913820.00000000016C8000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: RegAsm.exe, 00000004.00000003.931369846.000000000166D000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.944747526.000000000130B000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-bc-docs.googleusercontent.com/
Source: RegAsm.exe, 00000009.00000002.944747526.000000000130B000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-bc-docs.googleusercontent.com/docs/securesc/okjaf0d96k16o2ur6os401lotlk7qdd4/f
Source: RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-bc-docs.googleusercontent.com/docs/securesc/okjaf0d96k16o2ur6os401lotlk7qdd4/frctj5jk
Source: RegAsm.exe, 00000004.00000003.931369846.000000000166D000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-bc-docs.googleusercontent.com/docs/securesc/okjaf0d96k16o2ur6os401lotlk7qdd4/u
Source: RegAsm.exe, 00000004.00000003.1090913820.00000000016C8000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.931369846.000000000166D000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-bc-docs.googleusercontent.com/docs/securesc/okjaf0d96k16o2ur6os401lotlk7qdd4/uikil5gv
Source: RegAsm.exe, 00000004.00000003.1780692472.000000000166D000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-bc-docs.googleusercontent.com/f
Source: RegAsm.exe, 00000004.00000003.1033589837.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: RegAsm.exe, 00000004.00000003.1090913820.00000000016C8000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=s1tlsk798umdu&continue=https://doc-0k-bc-docs.googleuserco
Source: RegAsm.exe, 00000004.00000003.1033589837.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/z
Source: RegAsm.exe, 00000009.00000002.944747526.000000000130B000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000009.00000002.944747526.000000000130B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/f%
Source: RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/s
Source: RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aS8MNnPgdsqf195SqHF_HaJrDStbXu1Y
Source: RegAsm.exe, 00000009.00000002.943991919.0000000000F00000.00000040.00000001.sdmp, RegAsm.exe, 0000000B.00000002.985023376.00000000013C0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aS8MNnPgdsqf195SqHF_HaJrDStbXu1Yhttps://oluwaboi419.
Source: RegAsm.exe, 00000009.00000002.944747526.000000000130B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aS8MNnPgdsqf195SqHF_HaJrDStbXu1YqC
Source: RegAsm.exe, 00000009.00000002.943991919.0000000000F00000.00000040.00000001.sdmp, RegAsm.exe, 0000000B.00000002.985023376.00000000013C0000.00000040.00000001.sdmpString found in binary or memory: https://oluwaboi419.000webhostapp.com/JANMEGACASH2020_encrypted_5FCC7B0.bin
Source: RegAsm.exe, 00000004.00000003.1709132502.00000000016B2000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.945241774.0000000001376000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)Show sources
Source: RegAsm.exe, 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.959961132.000000001FDB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.991888603.0000000021250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.991742937.0000000020250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4520, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2976, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.959961132.000000001FDB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.991888603.0000000021250000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.991742937.0000000020250000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4520, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 2976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Desktop\Background.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A49D6 NtResumeThread,0_2_047A49D6
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A49F4 NtResumeThread,0_2_047A49F4
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 6_2_0521460D NtProtectVirtualMemory,CreateProcessInternalW,6_2_0521460D
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 7_2_048149D6 NtResumeThread,7_2_048149D6
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 7_2_048149F4 NtResumeThread,7_2_048149F4
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A27660_2_047A2766
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 6_2_0521460D6_2_0521460D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F021429_2_00F02142
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_1FD623A09_2_1FD623A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_1FD62FA89_2_1FD62FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_1FD638509_2_1FD63850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_1FD6306F9_2_1FD6306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C214211_2_013C2142
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_202023A011_2_202023A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_20202FA811_2_20202FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_2020306F11_2_2020306F
PE file contains strange resourcesShow sources
Source: Background.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Kindtnde.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Background.exe, 00000000.00000002.742285584.0000000002B34000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinWord.exe vs Background.exe
Source: Background.exe, 00000000.00000002.743151419.0000000004770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Background.exe
Source: Background.exeBinary or memory string: OriginalFilenameWinWord.exe vs Background.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Yara signature matchShow sources
Source: 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.959961132.000000001FDB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.991888603.0000000021250000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.991742937.0000000020250000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 4520, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 2976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Classification labelShow sources
Source: classification engineClassification label: mal92.troj.evad.winEXE@12/3@87/3
Creates files inside the user directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\TrkagenspseudJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{aa770388-22d8-4100-a34e-8c8c3f4efeec}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_01
PE file has an executable .text section and no other executable sectionShow sources
Source: Background.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\Background.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Background.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Background.exe 'C:\Users\user\Desktop\Background.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Background.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Trkagenspseud\Kindtnde.exe 'C:\Users\user\Trkagenspseud\Kindtnde.exe'
Source: unknownProcess created: C:\Users\user\Trkagenspseud\Kindtnde.exe 'C:\Users\user\Trkagenspseud\Kindtnde.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Trkagenspseud\Kindtnde.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Trkagenspseud\Kindtnde.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Background.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Background.exe' Jump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Trkagenspseud\Kindtnde.exe' Jump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Trkagenspseud\Kindtnde.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Background.exeStatic file information: File size 41107456 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
PE file has a big raw sectionShow sources
Source: Background.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2726000

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: Kindtnde.exe.4.drStatic PE information: real checksum: 0x273ccbe should be:
Source: Background.exeStatic PE information: real checksum: 0x273ccbe should be:
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A3079 pushad ; iretd 0_2_047A307C
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A3179 pushad ; iretd 0_2_047A317C
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A3045 push edx; ret 0_2_047A3046
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A3145 push edx; ret 0_2_047A3146
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A4FAA push ss; retf 0_2_047A4FAB
Source: C:\Users\user\Desktop\Background.exeCode function: 0_2_047A4D93 push ss; retf 0_2_047A4DE3
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 6_2_052100EB pushfd ; iretd 6_2_052100F6
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 6_2_05214FAA push ss; retf 6_2_05214FAB
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 6_2_05214D93 push ss; retf 6_2_05214DE3
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 7_2_04814D93 push ss; retf 7_2_04814DE3
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 7_2_04814FAA push ss; retf 7_2_04814FAB
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 7_2_04812146 push ecx; ret 7_2_04812147
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 7_2_04811766 push ecx; ret 7_2_04811767
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 7_2_0481307B pushad ; iretd 7_2_0481307C
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeCode function: 7_2_0481317B pushad ; iretd 7_2_0481317C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F04FAA push ss; retf 9_2_00F04FAB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F04D93 push ss; retf 9_2_00F04DE3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C4FAA push ss; retf 11_2_013C4FAB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C4D93 push ss; retf 11_2_013C4DE3

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\Trkagenspseud\Kindtnde.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fodermestresJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fodermestresJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fodermestresJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fodermestresJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Background.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Background.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Background.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 485Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 1772Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 363Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 501Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 1283Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3880Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3936Thread sleep time: -340000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3692Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3160Thread sleep time: -922337203685477s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: RegAsm.exe, 00000004.00000003.1780692472.000000000166D000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.944747526.000000000130B000.00000004.00000020.sdmp, RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000000B.00000002.986218877.000000000174B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWH
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\Background.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Contains functionality to read the PEBShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F01214 mov eax, dword ptr fs:[00000030h]9_2_00F01214
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F03DD1 mov eax, dword ptr fs:[00000030h]9_2_00F03DD1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F009C8 mov eax, dword ptr fs:[00000030h]9_2_00F009C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F041B0 mov eax, dword ptr fs:[00000030h]9_2_00F041B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F03D92 mov eax, dword ptr fs:[00000030h]9_2_00F03D92
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F01D74 mov eax, dword ptr fs:[00000030h]9_2_00F01D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C1214 mov eax, dword ptr fs:[00000030h]11_2_013C1214
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C1D74 mov eax, dword ptr fs:[00000030h]11_2_013C1D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C41B0 mov eax, dword ptr fs:[00000030h]11_2_013C41B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C3D92 mov eax, dword ptr fs:[00000030h]11_2_013C3D92
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C3DD1 mov eax, dword ptr fs:[00000030h]11_2_013C3DD1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 11_2_013C09C8 mov eax, dword ptr fs:[00000030h]11_2_013C09C8
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Background.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Background.exe' Jump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Trkagenspseud\Kindtnde.exe' Jump to behavior
Source: C:\Users\user\Trkagenspseud\Kindtnde.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Trkagenspseud\Kindtnde.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: RegAsm.exe, 00000004.00000003.1780692472.000000000166D000.00000004.00000001.sdmpBinary or memory string: Program Manager

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.959961132.000000001FDB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.991888603.0000000021250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.991742937.0000000020250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4520, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2976, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: RegAsm.exe, 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegAsm.exe, 0000000B.00000002.991888603.0000000021250000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000B.00000002.991888603.0000000021250000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000009.00000002.961221451.0000000020DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.959961132.000000001FDB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.991888603.0000000021250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.991742937.0000000020250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4520, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2976, type: MEMORY

Malware Configuration

Threatname: NanoCore

{"C2: ": ["172.217.23.97"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet