Loading ...

Play interactive tourEdit tour

Analysis Report bedrapes.exe

Overview

General Information

Sample Name:bedrapes.exe
MD5:0edc42611fb4661272cf5eab4b754bf6
SHA1:69d03aca2fe3bda7cc653578ddb19e863c7e59f6
SHA256:b9a87098dddc8de98d1ec0e5ffb4b57bb195df8af61e8a909860722815cf2d7a

Most interesting Screenshot:

Detection

NetWire GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Sleep loop found (likely to delay execution)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • bedrapes.exe (PID: 5476 cmdline: 'C:\Users\user\Desktop\bedrapes.exe' MD5: 0EDC42611FB4661272CF5EAB4B754BF6)
    • bedrapes.exe (PID: 5544 cmdline: 'C:\Users\user\Desktop\bedrapes.exe' MD5: 0EDC42611FB4661272CF5EAB4B754BF6)
      • kantaterne.exe (PID: 5672 cmdline: 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe' MD5: 0EDC42611FB4661272CF5EAB4B754BF6)
        • kantaterne.exe (PID: 5968 cmdline: 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe' MD5: 0EDC42611FB4661272CF5EAB4B754BF6)
  • wscript.exe (PID: 5936 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • kantaterne.exe (PID: 5980 cmdline: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe MD5: 0EDC42611FB4661272CF5EAB4B754BF6)
      • kantaterne.exe (PID: 5028 cmdline: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe MD5: 0EDC42611FB4661272CF5EAB4B754BF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: kantaterne.exe PID: 5968JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: kantaterne.exe PID: 5028JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: bedrapes.exe PID: 5544JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: kantaterne.exe PID: 5672JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: kantaterne.exe PID: 5980JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: NetWireShow sources
            Source: Registry Key setAuthor: Joe Security: Data: Details: BLESSEDMAN, EventID: 13, Image: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe, ProcessId: 5968, TargetObject: HKEY_CURRENT_USER\Software\NetWire\HostId

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: bedrapes.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeAvira: detection malicious, Label: HEUR/AGEN.1023866
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeVirustotal: Detection: 17%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: bedrapes.exeVirustotal: Detection: 17%Perma Link
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: bedrapes.exeJoe Sandbox ML: detected
            Source: 2.2.bedrapes.exe.22a0000.0.unpackAvira: Label: TR/Dropper.Gen

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49732 -> 54.179.179.37:80
            Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49738 -> 54.179.179.37:80
            Connects to many ports of the same IP (likely port scanning)Show sources
            Source: global trafficTCP traffic: 154.118.68.3 ports 39560,0,3,5,6,9
            Source: global trafficTCP traffic: 79.134.225.103 ports 39561,1,3,5,6,9
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: wealthybillionaire.ddns.net
            Source: global trafficTCP traffic: 192.168.2.5:49733 -> 79.134.225.103:39561
            Source: global trafficTCP traffic: 192.168.2.5:49735 -> 154.118.68.3:39560
            Source: Joe Sandbox ViewASN Name: SpectranetNG SpectranetNG
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: global trafficHTTP traffic detected: GET /WEALTH_ucPrzgGP165.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 54.179.179.37Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /WEALTH_ucPrzgGP165.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 54.179.179.37Cache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.103
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.103
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.103
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.103
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.103
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.103
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: unknownTCP traffic detected without corresponding DNS query: 54.179.179.37
            Source: global trafficHTTP traffic detected: GET /WEALTH_ucPrzgGP165.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 54.179.179.37Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /WEALTH_ucPrzgGP165.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 54.179.179.37Cache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: wealthybillionaire.ddns.net
            Source: kantaterne.exe, 0000000A.00000002.1205374016.0000000000560000.00000040.00000001.sdmp, kantaterne.exe, 0000000C.00000002.1205750117.00000000009D8000.00000004.00000020.sdmpString found in binary or memory: http://54.179.179.37/WEALTH_ucPrzgGP165.bin
            Source: kantaterne.exe, 0000000A.00000002.1205870217.00000000008CF000.00000004.00000020.sdmpString found in binary or memory: http://54.179.179.37/WEALTH_ucPrzgGP165.bin79.37
            Source: kantaterne.exe, 0000000C.00000002.1205750117.00000000009D8000.00000004.00000020.sdmpString found in binary or memory: http://54.179.179.37/WEALTH_ucPrzgGP165.binA
            Source: wscript.exe, 00000009.00000003.874494372.0000023797A62000.00000004.00000001.sdmpString found in binary or memory: https://wdcp.microsoft.
            Source: kantaterne.exe, 00000003.00000002.903095823.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA2F36 NtProtectVirtualMemory,0_2_02AA2F36
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA241B NtWriteVirtualMemory,0_2_02AA241B
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA3314 NtResumeThread,0_2_02AA3314
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA23DE NtWriteVirtualMemory,0_2_02AA23DE
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA01D3 NtSetInformationThread,TerminateProcess,0_2_02AA01D3
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA2302 NtWriteVirtualMemory,0_2_02AA2302
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA1200 NtWriteVirtualMemory,0_2_02AA1200
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA237F NtWriteVirtualMemory,0_2_02AA237F
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA287C NtWriteVirtualMemory,0_2_02AA287C
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA2157 NtWriteVirtualMemory,0_2_02AA2157
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_00562F36 NtProtectVirtualMemory,2_2_00562F36
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_00560343 NtProtectVirtualMemory,2_2_00560343
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_005601D3 NtSetInformationThread,TerminateProcess,2_2_005601D3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C2F36 NtProtectVirtualMemory,3_2_022C2F36
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C241B NtWriteVirtualMemory,3_2_022C241B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C1200 NtWriteVirtualMemory,3_2_022C1200
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C2302 NtWriteVirtualMemory,3_2_022C2302
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C287C NtWriteVirtualMemory,3_2_022C287C
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C237F NtWriteVirtualMemory,3_2_022C237F
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C2157 NtWriteVirtualMemory,3_2_022C2157
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C23DE NtWriteVirtualMemory,3_2_022C23DE
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C01D3 NtSetInformationThread,TerminateProcess,3_2_022C01D3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00561666 NtProtectVirtualMemory,10_2_00561666
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00563314 NtSetInformationThread,10_2_00563314
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00560F1B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_00560F1B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00562F36 NtProtectVirtualMemory,10_2_00562F36
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00560EE0 CreateThread,TerminateThread,NtProtectVirtualMemory,10_2_00560EE0
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_005615E8 Sleep,NtProtectVirtualMemory,10_2_005615E8
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_0056165B NtProtectVirtualMemory,10_2_0056165B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00560343 NtProtectVirtualMemory,10_2_00560343
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00561619 NtProtectVirtualMemory,10_2_00561619
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_005601D3 NtSetInformationThread,10_2_005601D3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_0209241B NtWriteVirtualMemory,11_2_0209241B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02093314 NtResumeThread,11_2_02093314
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02092F36 NtProtectVirtualMemory,11_2_02092F36
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02091200 NtWriteVirtualMemory,11_2_02091200
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02092302 NtWriteVirtualMemory,11_2_02092302
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02092157 NtWriteVirtualMemory,11_2_02092157
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_0209287C NtWriteVirtualMemory,11_2_0209287C
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_0209237F NtWriteVirtualMemory,11_2_0209237F
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_020923DE NtWriteVirtualMemory,11_2_020923DE
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_020901D3 NtSetInformationThread,TerminateProcess,11_2_020901D3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00561666 NtProtectVirtualMemory,12_2_00561666
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00563314 NtSetInformationThread,12_2_00563314
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00560F1B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,12_2_00560F1B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00562F36 NtProtectVirtualMemory,12_2_00562F36
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00560EE0 CreateThread,TerminateThread,NtProtectVirtualMemory,12_2_00560EE0
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_005615E8 Sleep,NtProtectVirtualMemory,12_2_005615E8
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_0056165B NtProtectVirtualMemory,12_2_0056165B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00560343 NtProtectVirtualMemory,12_2_00560343
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00561619 NtProtectVirtualMemory,12_2_00561619
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_005601D3 NtSetInformationThread,12_2_005601D3
            Source: bedrapes.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: kantaterne.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bedrapes.exe, 00000000.00000002.815115946.00000000028B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs bedrapes.exe
            Source: bedrapes.exe, 00000002.00000002.856866617.000000001D6E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs bedrapes.exe
            Source: bedrapes.exe, 00000002.00000002.857004798.000000001D730000.00000002.00000001.sdmpBinary or memory string: originalfilename vs bedrapes.exe
            Source: bedrapes.exe, 00000002.00000002.857004798.000000001D730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs bedrapes.exe
            Source: classification engineClassification label: mal100.troj.evad.winEXE@12/2@5/3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeMutant created: \Sessions\1\BaseNamedObjects\-
            Source: C:\Users\user\Desktop\bedrapes.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD1B0C3898456A5E7.TMPJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.vbs'
            Source: bedrapes.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\bedrapes.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: bedrapes.exeVirustotal: Detection: 17%
            Source: C:\Users\user\Desktop\bedrapes.exeFile read: C:\Users\user\Desktop\bedrapes.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\bedrapes.exe 'C:\Users\user\Desktop\bedrapes.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\bedrapes.exe 'C:\Users\user\Desktop\bedrapes.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe'
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.vbs'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe
            Source: C:\Users\user\Desktop\bedrapes.exeProcess created: C:\Users\user\Desktop\bedrapes.exe 'C:\Users\user\Desktop\bedrapes.exe' Jump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe' Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: kantaterne.exe PID: 5968, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: kantaterne.exe PID: 5028, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: bedrapes.exe PID: 5544, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: kantaterne.exe PID: 5672, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: kantaterne.exe PID: 5980, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: bedrapes.exe PID: 5476, type: MEMORY
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_005627C5 LoadLibraryA,GetProcAddress,10_2_005627C5
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_00401E47 push FFFFFF9Dh; retf 0_2_00401E4D
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_00401E5C push FFFFFF9Dh; retf 0_2_00401E4D
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_0040BEA0 pushad ; retn 0040h0_2_0040DBE9
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_004017AF push D93D8E8Eh; iretd 0_2_004017B4
            Source: C:\Users\user\Desktop\bedrapes.exeFile created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeJump to dropped file

            Boot Survival:

            barindex
            Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
            Source: C:\Users\user\Desktop\bedrapes.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pennyroyal C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.vbsJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pennyroyal C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.vbsJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pennyroyalJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pennyroyalJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pennyroyalJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pennyroyalJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA29F3 0_2_02AA29F3
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_005629F3 2_2_005629F3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C29F3 3_2_022C29F3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_005629F3 10_2_005629F3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_020929F3 11_2_020929F3
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_005629F3 12_2_005629F3
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_10-2023
            Sleep loop found (likely to delay execution)Show sources
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeThread sleep count: Count: 4694 delay: -5Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeThread sleep count: Count: 2204 delay: -5Jump to behavior
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\bedrapes.exeRDTSC instruction interceptor: First address: 0000000002AA29F6 second address: 0000000002AA2A14 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FE4DC5F8D02h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\bedrapes.exeRDTSC instruction interceptor: First address: 0000000002AA2A14 second address: 0000000002AA29F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FE4DCA336A0h 0x00000011 lfence 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\bedrapes.exeRDTSC instruction interceptor: First address: 00000000005629F6 second address: 0000000000562A14 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FE4DC5F8D02h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\bedrapes.exeRDTSC instruction interceptor: First address: 0000000000562A14 second address: 00000000005629F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FE4DCA336A0h 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FE4DCA336C6h 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007FE4DCA336BEh 0x00000020 push ecx 0x00000021 call 00007FE4DCA336F3h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeRDTSC instruction interceptor: First address: 00000000022C29F6 second address: 00000000022C2A14 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FE4DC5F8D02h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeRDTSC instruction interceptor: First address: 00000000022C2A14 second address: 00000000022C29F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FE4DCA336A0h 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FE4DCA336C6h 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007FE4DCA336BEh 0x00000020 push ecx 0x00000021 call 00007FE4DCA336F3h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeRDTSC instruction interceptor: First address: 00000000005629F6 second address: 0000000000562A14 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FE4DC5F8D02h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeRDTSC instruction interceptor: First address: 0000000000562A14 second address: 00000000005629F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FE4DCA336A0h 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FE4DCA336C6h 0x00000018 push ecx 0x00000019 call 00007FE4DCA336F3h 0x0000001e lfence 0x00000021 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeRDTSC instruction interceptor: First address: 00000000020929F6 second address: 0000000002092A14 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FE4DC5F8D02h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeRDTSC instruction interceptor: First address: 0000000002092A14 second address: 00000000020929F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FE4DCA336A0h 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FE4DCA336C6h 0x00000018 push ecx 0x00000019 call 00007FE4DCA336F3h 0x0000001e lfence 0x00000021 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeRDTSC instruction interceptor: First address: 0000000000562A14 second address: 00000000005629F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FE4DCA336A0h 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FE4DCA336C6h 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007FE4DCA336BEh 0x00000020 push ecx 0x00000021 call 00007FE4DCA336F3h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA29F3 rdtsc 0_2_02AA29F3
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeWindow / User API: threadDelayed 4694Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeWindow / User API: threadDelayed 2204Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe TID: 5176Thread sleep count: 4694 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe TID: 208Thread sleep count: 2204 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeLast function: Thread delayed
            Source: kantaterne.exe, 0000000A.00000002.1205783710.0000000000897000.00000004.00000020.sdmp, kantaterne.exe, 0000000C.00000002.1205750117.00000000009D8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: kantaterne.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA01D3 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000000_2_02AA01D3
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\bedrapes.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA29F3 rdtsc 0_2_02AA29F3
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA1841 LdrInitializeThunk,0_2_02AA1841
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_005627C5 LoadLibraryA,GetProcAddress,10_2_005627C5
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA25A7 mov eax, dword ptr fs:[00000030h]0_2_02AA25A7
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA0E3A mov eax, dword ptr fs:[00000030h]0_2_02AA0E3A
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA0A10 mov eax, dword ptr fs:[00000030h]0_2_02AA0A10
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA1568 mov eax, dword ptr fs:[00000030h]0_2_02AA1568
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA2C65 mov eax, dword ptr fs:[00000030h]0_2_02AA2C65
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 0_2_02AA294B mov eax, dword ptr fs:[00000030h]0_2_02AA294B
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_0056294B mov eax, dword ptr fs:[00000030h]2_2_0056294B
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_00562C65 mov eax, dword ptr fs:[00000030h]2_2_00562C65
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_00561568 mov eax, dword ptr fs:[00000030h]2_2_00561568
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_00560A10 mov eax, dword ptr fs:[00000030h]2_2_00560A10
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_00560E3A mov eax, dword ptr fs:[00000030h]2_2_00560E3A
            Source: C:\Users\user\Desktop\bedrapes.exeCode function: 2_2_005625A7 mov eax, dword ptr fs:[00000030h]2_2_005625A7
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C0E3A mov eax, dword ptr fs:[00000030h]3_2_022C0E3A
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C0A10 mov eax, dword ptr fs:[00000030h]3_2_022C0A10
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C1568 mov eax, dword ptr fs:[00000030h]3_2_022C1568
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C2C65 mov eax, dword ptr fs:[00000030h]3_2_022C2C65
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C294B mov eax, dword ptr fs:[00000030h]3_2_022C294B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 3_2_022C25A7 mov eax, dword ptr fs:[00000030h]3_2_022C25A7
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_0056294B mov eax, dword ptr fs:[00000030h]10_2_0056294B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00562C65 mov eax, dword ptr fs:[00000030h]10_2_00562C65
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00561568 mov eax, dword ptr fs:[00000030h]10_2_00561568
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00560A10 mov eax, dword ptr fs:[00000030h]10_2_00560A10
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_005625A7 mov eax, dword ptr fs:[00000030h]10_2_005625A7
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02090A10 mov eax, dword ptr fs:[00000030h]11_2_02090A10
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02090E3A mov eax, dword ptr fs:[00000030h]11_2_02090E3A
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_0209294B mov eax, dword ptr fs:[00000030h]11_2_0209294B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02091568 mov eax, dword ptr fs:[00000030h]11_2_02091568
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_02092C65 mov eax, dword ptr fs:[00000030h]11_2_02092C65
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 11_2_020925A7 mov eax, dword ptr fs:[00000030h]11_2_020925A7
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_0056294B mov eax, dword ptr fs:[00000030h]12_2_0056294B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00562C65 mov eax, dword ptr fs:[00000030h]12_2_00562C65
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00561568 mov eax, dword ptr fs:[00000030h]12_2_00561568
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00560A10 mov eax, dword ptr fs:[00000030h]12_2_00560A10
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_005625A7 mov eax, dword ptr fs:[00000030h]12_2_005625A7
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 10_2_00560F1B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_00560F1B
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeCode function: 12_2_00560F1B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,12_2_00560F1B
            Source: C:\Users\user\Desktop\bedrapes.exeProcess created: C:\Users\user\Desktop\bedrapes.exe 'C:\Users\user\Desktop\bedrapes.exe' Jump to behavior
            Source: C:\Users\user\Desktop\bedrapes.exeProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe 'C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe' Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeProcess created: C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exe C:\Users\user\AppData\Local\Temp\dhanush\kantaterne.exeJump to behavior
            Source: kantaterne.exe, 0000000A.00000002.1205974556.0000000000F20000.00000002.00000001.sdmp, kantaterne.exe, 0000000C.00000002.1205945044.0000000001060000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: kantaterne.exe, 0000000A.00000002.1205974556.0000000000F20000.00000002.00000001.sdmp, kantaterne.exe, 0000000C.00000002.1205945044.0000000001060000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: kantaterne.exe, 0000000A.00000002.1205974556.0000000000F20000.00000002.00000001.sdmp, kantaterne.exe, 0000000C.00000002.1205945044.0000000001060000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: kantaterne.exe, 0000000A.00000002.1205974556.0000000000F20000.00000002.00000001.sdmp, kantaterne.exe, 0000000C.00000002.1205945044.0000000001060000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting11Registry Run Keys / Startup Folder11Process Injection12Software Packing1Input Capture1Virtualization/Sandbox Evasion21Remote File Copy1Input Capture1Data CompressedCommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaExecution through API11Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion21Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionProcess Injection12Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingScripting11Credentials in FilesSecurity Software Discovery511Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol112Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery22Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet