Analysis Report REQUEST FOR OFFER.exe

Overview

General Information

Sample Name:	REQUEST FOR OFFER.exe
Analysis ID:	356550
MD5:	0fc3feecc0164c588f7afab6e51d566b
SHA1:	60115fc27261ecf866c1900d3d5f59520a2ab65a
SHA256:	b5a2fbfeb80e2e92039a23615df8b8f63f42d1331528f514b312d4946dc22607
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\badman.exe

ReversingLabs: Detection: 35%

Multi AV Scanner detection for submitted file

Source: REQUEST FOR OFFER.exe

ReversingLabs: Detection: 35%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\badman.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: REQUEST FOR OFFER.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 15.2.InstallUtil.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: REQUEST FOR OFFER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: REQUEST FOR OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000F.00000002.472909502.00000000005B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then push dword ptr [ebp-20h]	14_2_09AC3EB8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	14_2_09AC3EB8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then push dword ptr [ebp-24h]	14_2_09AC41D8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	14_2_09AC41D8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC3724
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC4750
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC39D4
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC4830
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then push dword ptr [ebp-20h]	14_2_09AC3EAC
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	14_2_09AC3EAC
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then push dword ptr [ebp-24h]	14_2_09AC41CD
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	14_2_09AC41CD
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then xor edx, edx	14_2_09AC4104
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then xor edx, edx	14_2_09AC4110
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC660C

Networking:

Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://HDgGGv.com
Source: badman.exe, 0000000E.00000002.415907828.00000000016AE000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: REQUEST FOR OFFER.exe, 00000000.00000003.217353767.0000000009A83000.00000004.00000001.sdmp, badman.exe, 0000000E.00000003.339036712.0000000009D73000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: badman.exe, 0000000E.00000003.414205130.0000000009D7B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g%%
Source: REQUEST FOR OFFER.exe, 00000000.00000002.332840777.0000000009A85000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g%%vp
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: REQUEST FOR OFFER.exe, 00000000.00000002.326751684.0000000002F99000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417471164.00000000032A2000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: REQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: badman.exe, 0000000E.00000002.415764605.0000000001670000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: REQUEST FOR OFFER.exe, o0F/Jk3.cs	Large array initialization: .cctor: array initializer size 10710
Source: badman.exe.0.dr, o0F/Jk3.cs	Large array initialization: .cctor: array initializer size 10710
Source: 15.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6199813Du002d6350u002d451Du002dBAD9u002dE7ED453A94A3u007d/u0032B36B790u002d76E1u002d4C05u002d8847u002d37064A0FEE12.cs	Large array initialization: .cctor: array initializer size 11932

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\badman.exe

Code function: 14_2_052F18DC CreateProcessAsUserW,

14_2_052F18DC

Detected potential crypto function

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_02DDFCA0	0_2_02DDFCA0
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_04FB2A58	0_2_04FB2A58
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_04FB0C58	0_2_04FB0C58
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_04FB0C57	0_2_04FB0C57
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_04FB29D1	0_2_04FB29D1
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E32E28	0_2_06E32E28
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E33F90	0_2_06E33F90
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E344E1	0_2_06E344E1
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E3E450	0_2_06E3E450
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E3BD48	0_2_06E3BD48
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E30D58	0_2_06E30D58
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E312A0	0_2_06E312A0
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E33A90	0_2_06E33A90
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E35370	0_2_06E35370
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0197F268	14_2_0197F268
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0197C140	14_2_0197C140
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052FA568	14_2_052FA568
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F5730	14_2_052F5730
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F3C70	14_2_052F3C70
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F7CCA	14_2_052F7CCA
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F1F17	14_2_052F1F17
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F0E00	14_2_052F0E00
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F5E62	14_2_052F5E62
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F2948	14_2_052F2948
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F9420	14_2_052F9420
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F7440	14_2_052F7440
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F7450	14_2_052F7450
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F8760	14_2_052F8760
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052FB198	14_2_052FB198
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F6FC8	14_2_052F6FC8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F6FD8	14_2_052F6FD8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07192E28	14_2_07192E28
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07190D58	14_2_07190D58
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719BC20	14_2_0719BC20
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719E450	14_2_0719E450
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071944E1	14_2_071944E1
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07195370	14_2_07195370
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07193A90	14_2_07193A90
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071912A0	14_2_071912A0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07197718	14_2_07197718
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07193F39	14_2_07193F39
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07197728	14_2_07197728
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07193F90	14_2_07193F90
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719C7D0	14_2_0719C7D0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07196E50	14_2_07196E50
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07196E42	14_2_07196E42
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719A680	14_2_0719A680
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07192D78	14_2_07192D78
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719F598	14_2_0719F598
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719B418	14_2_0719B418
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071974F0	14_2_071974F0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071974E0	14_2_071974E0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07197B78	14_2_07197B78
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07192298	14_2_07192298
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07196298	14_2_07196298
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719628A	14_2_0719628A
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071952B9	14_2_071952B9
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071952D5	14_2_071952D5
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071952F1	14_2_071952F1
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719799A	14_2_0719799A
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071979A0	14_2_071979A0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719F040	14_2_0719F040
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACB988	14_2_09ACB988
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACE900	14_2_09ACE900
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACDD68	14_2_09ACDD68
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACE132	14_2_09ACE132
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7080	14_2_09AC7080
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC83D8	14_2_09AC83D8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACB978	14_2_09ACB978
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACE8F1	14_2_09ACE8F1
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC9816	14_2_09AC9816
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC4D80	14_2_09AC4D80
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC4D90	14_2_09AC4D90
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACDD59	14_2_09ACDD59
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7070	14_2_09AC7070
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC0040	14_2_09AC0040
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC83C9	14_2_09AC83C9
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC5330	14_2_09AC5330
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC5340	14_2_09AC5340
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7533	14_2_09AC7533
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7548	14_2_09AC7548
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC74A9	14_2_09AC74A9
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC74BE	14_2_09AC74BE
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC9480	14_2_09AC9480
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC9490	14_2_09AC9490
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7405	14_2_09AC7405
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC741A	14_2_09AC741A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_005B20B0	15_2_005B20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_028746A0	15_2_028746A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_028745B0	15_2_028745B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_0287D310	15_2_0287D310
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_05C27538	15_2_05C27538
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_05C294F8	15_2_05C294F8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_05C26920	15_2_05C26920
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_05C26C68	15_2_05C26C68

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB

Sample file is different than original file name gathered from version info

Source: REQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameesYxxWZqNRQpRkZCeBoPbAssohMUzrRtOep.exe4 vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.331384751.0000000006AF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.332027247.0000000006E40000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.327921433.0000000003F58000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.325457688.0000000000C76000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFresh.exeH vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.331764576.0000000006D70000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.331764576.0000000006D70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe	Binary or memory string: OriginalFilenameFresh.exeH vs REQUEST FOR OFFER.exe

Uses 32bit PE files

Source: REQUEST FOR OFFER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses reg.exe to modify the Windows registry

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'

Source: 15.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/5@0/0

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File created: C:\Users\user\AppData\Roaming\badman.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_01

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: REQUEST FOR OFFER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: REQUEST FOR OFFER.exe

ReversingLabs: Detection: 35%

Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-32
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-24
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-administrator-50
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-48
Source: badman.exe	String found in binary or memory: icons8-add-administrator-50
Source: badman.exe	String found in binary or memory: icons8-add-48
Source: badman.exe	String found in binary or memory: icons8-add-32
Source: badman.exe	String found in binary or memory: icons8-add-24
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-24
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-32[
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-48
Source: REQUEST FOR OFFER.exe	String found in binary or memory: 6icons8-add-administrator-50

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File read: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\REQUEST FOR OFFER.exe 'C:\Users\user\Desktop\REQUEST FOR OFFER.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: REQUEST FOR OFFER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: REQUEST FOR OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000F.00000002.472909502.00000000005B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA6E9E push ecx; iretd	0_2_00BA6EA4
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA4E89 push 52BA5CE0h; ret	0_2_00BA4E8E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA56E4 push ebp; retf	0_2_00BA56E3
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA4008 push FFFFFFCBh; iretd	0_2_00BA4010
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA4A0C push es; retf	0_2_00BA4A1D
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA427E push esp; retf	0_2_00BA427F
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA67FF push 40907420h; ret	0_2_00BA6810
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA3F18 push FFFFFFCBh; iretd	0_2_00BA3F20
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA535E push edx; retf	0_2_00BA5367
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA4148 push edx; retf	0_2_00BA414F
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA5D4C push FFFFFFFFh; retf	0_2_00BA5D4E
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE56E4 push ebp; retf	14_2_00EE56E3
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE4E89 push 52BA5CE0h; ret	14_2_00EE4E8E
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE6E9E push ecx; iretd	14_2_00EE6EA4
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE427E push esp; retf	14_2_00EE427F
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE4A0C push es; retf	14_2_00EE4A1D
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE4008 push FFFFFFCBh; iretd	14_2_00EE4010
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE67FF push 40907420h; ret	14_2_00EE6810
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE5D4C push FFFFFFFFh; retf	14_2_00EE5D4E
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE4148 push edx; retf	14_2_00EE414F
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE535E push edx; retf	14_2_00EE5367
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE3F18 push FFFFFFCBh; iretd	14_2_00EE3F20
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07197E84 push ecx; iretd	14_2_07197E86
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07191BDA push ecx; ret	14_2_07191BDE
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACECD2 push ebx; ret	14_2_09ACECDB
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC9FC8 push edi; ret	14_2_09AC9FE9

Source: REQUEST FOR OFFER.exe, p5M/y9B.cs	High entropy of concatenated method names: '.ctor', 'Ht4', 's2Y', 'i6Y', 'a1C', 'q7A', 's3K', 'w8A', 'Br5', 'Gs4'
Source: badman.exe.0.dr, p5M/y9B.cs	High entropy of concatenated method names: '.ctor', 'Ht4', 's2Y', 'i6Y', 'a1C', 'q7A', 's3K', 'w8A', 'Br5', 'Gs4'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File created: C:\Users\user\AppData\Roaming\badman.exe			Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe			Jump to dropped file

Boot Survival:

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File opened: C:\Users\user\Desktop\REQUEST FOR OFFER.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match

File source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Window / User API: threadDelayed 2402	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Window / User API: threadDelayed 7343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Window / User API: threadDelayed 618	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Window / User API: threadDelayed 9155	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 9556	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5828	Thread sleep count: 2402 > 30	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5828	Thread sleep count: 7343 > 30	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 1968	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 5872	Thread sleep count: 618 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 5872	Thread sleep count: 9155 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 1968	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5036	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6084	Thread sleep count: 263 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6084	Thread sleep count: 9556 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5036	Thread sleep count: 39 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Last function: Thread delayed

Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device
Source: badman.exe, 0000000E.00000002.415907828.00000000016AE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\badman.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\badman.exe

Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 756008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Users\user\Desktop\REQUEST FOR OFFER.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Users\user\AppData\Roaming\badman.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Code function: 15_2_05C22654 GetUserNameW,

15_2_05C22654

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
Source: Yara match	File source: Process Memory Space: badman.exe PID: 5900, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4c9e3d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bfb8ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4b8f12a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4c9e3d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4b8f12a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bc54fa.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bfb8ba.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bc54fa.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.raw.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
Source: Yara match	File source: Process Memory Space: badman.exe PID: 5900, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4c9e3d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bfb8ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4b8f12a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4c9e3d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4b8f12a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bc54fa.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bfb8ba.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bc54fa.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\badman.exe

ReversingLabs: Detection: 35%

Multi AV Scanner detection for submitted file

Source: REQUEST FOR OFFER.exe

ReversingLabs: Detection: 35%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\badman.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: REQUEST FOR OFFER.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 15.2.InstallUtil.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: REQUEST FOR OFFER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: REQUEST FOR OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000F.00000002.472909502.00000000005B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then push dword ptr [ebp-20h]	14_2_09AC3EB8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	14_2_09AC3EB8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then push dword ptr [ebp-24h]	14_2_09AC41D8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	14_2_09AC41D8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC3724
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC4750
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC39D4
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC4830
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then push dword ptr [ebp-20h]	14_2_09AC3EAC
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	14_2_09AC3EAC
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then push dword ptr [ebp-24h]	14_2_09AC41CD
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	14_2_09AC41CD
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then xor edx, edx	14_2_09AC4104
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then xor edx, edx	14_2_09AC4110
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_09AC660C

Networking:

Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://HDgGGv.com
Source: badman.exe, 0000000E.00000002.415907828.00000000016AE000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: REQUEST FOR OFFER.exe, 00000000.00000003.217353767.0000000009A83000.00000004.00000001.sdmp, badman.exe, 0000000E.00000003.339036712.0000000009D73000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: badman.exe, 0000000E.00000003.414205130.0000000009D7B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g%%
Source: REQUEST FOR OFFER.exe, 00000000.00000002.332840777.0000000009A85000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g%%vp
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: REQUEST FOR OFFER.exe, 00000000.00000002.326751684.0000000002F99000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417471164.00000000032A2000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: badman.exe, 0000000E.00000002.416023782.000000000171C000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: REQUEST FOR OFFER.exe, 00000000.00000002.326675089.0000000002F51000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417359766.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: REQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: badman.exe, 0000000E.00000002.415764605.0000000001670000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: REQUEST FOR OFFER.exe, o0F/Jk3.cs	Large array initialization: .cctor: array initializer size 10710
Source: badman.exe.0.dr, o0F/Jk3.cs	Large array initialization: .cctor: array initializer size 10710
Source: 15.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6199813Du002d6350u002d451Du002dBAD9u002dE7ED453A94A3u007d/u0032B36B790u002d76E1u002d4C05u002d8847u002d37064A0FEE12.cs	Large array initialization: .cctor: array initializer size 11932

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\badman.exe

Code function: 14_2_052F18DC CreateProcessAsUserW,

14_2_052F18DC

Detected potential crypto function

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_02DDFCA0	0_2_02DDFCA0
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_04FB2A58	0_2_04FB2A58
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_04FB0C58	0_2_04FB0C58
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_04FB0C57	0_2_04FB0C57
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_04FB29D1	0_2_04FB29D1
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E32E28	0_2_06E32E28
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E33F90	0_2_06E33F90
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E344E1	0_2_06E344E1
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E3E450	0_2_06E3E450
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E3BD48	0_2_06E3BD48
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E30D58	0_2_06E30D58
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E312A0	0_2_06E312A0
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E33A90	0_2_06E33A90
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_06E35370	0_2_06E35370
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0197F268	14_2_0197F268
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0197C140	14_2_0197C140
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052FA568	14_2_052FA568
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F5730	14_2_052F5730
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F3C70	14_2_052F3C70
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F7CCA	14_2_052F7CCA
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F1F17	14_2_052F1F17
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F0E00	14_2_052F0E00
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F5E62	14_2_052F5E62
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F2948	14_2_052F2948
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F9420	14_2_052F9420
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F7440	14_2_052F7440
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F7450	14_2_052F7450
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F8760	14_2_052F8760
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052FB198	14_2_052FB198
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F6FC8	14_2_052F6FC8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_052F6FD8	14_2_052F6FD8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07192E28	14_2_07192E28
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07190D58	14_2_07190D58
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719BC20	14_2_0719BC20
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719E450	14_2_0719E450
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071944E1	14_2_071944E1
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07195370	14_2_07195370
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07193A90	14_2_07193A90
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071912A0	14_2_071912A0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07197718	14_2_07197718
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07193F39	14_2_07193F39
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07197728	14_2_07197728
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07193F90	14_2_07193F90
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719C7D0	14_2_0719C7D0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07196E50	14_2_07196E50
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07196E42	14_2_07196E42
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719A680	14_2_0719A680
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07192D78	14_2_07192D78
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719F598	14_2_0719F598
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719B418	14_2_0719B418
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071974F0	14_2_071974F0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071974E0	14_2_071974E0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07197B78	14_2_07197B78
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07192298	14_2_07192298
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07196298	14_2_07196298
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719628A	14_2_0719628A
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071952B9	14_2_071952B9
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071952D5	14_2_071952D5
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071952F1	14_2_071952F1
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719799A	14_2_0719799A
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_071979A0	14_2_071979A0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_0719F040	14_2_0719F040
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACB988	14_2_09ACB988
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACE900	14_2_09ACE900
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACDD68	14_2_09ACDD68
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACE132	14_2_09ACE132
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7080	14_2_09AC7080
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC83D8	14_2_09AC83D8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACB978	14_2_09ACB978
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACE8F1	14_2_09ACE8F1
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC9816	14_2_09AC9816
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC4D80	14_2_09AC4D80
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC4D90	14_2_09AC4D90
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACDD59	14_2_09ACDD59
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7070	14_2_09AC7070
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC0040	14_2_09AC0040
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC83C9	14_2_09AC83C9
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC5330	14_2_09AC5330
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC5340	14_2_09AC5340
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7533	14_2_09AC7533
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7548	14_2_09AC7548
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC74A9	14_2_09AC74A9
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC74BE	14_2_09AC74BE
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC9480	14_2_09AC9480
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC9490	14_2_09AC9490
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC7405	14_2_09AC7405
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC741A	14_2_09AC741A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_005B20B0	15_2_005B20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_028746A0	15_2_028746A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_028745B0	15_2_028745B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_0287D310	15_2_0287D310
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_05C27538	15_2_05C27538
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_05C294F8	15_2_05C294F8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_05C26920	15_2_05C26920
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 15_2_05C26C68	15_2_05C26C68

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB

Sample file is different than original file name gathered from version info

Source: REQUEST FOR OFFER.exe, 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameesYxxWZqNRQpRkZCeBoPbAssohMUzrRtOep.exe4 vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.331384751.0000000006AF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.332027247.0000000006E40000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.327921433.0000000003F58000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.325457688.0000000000C76000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFresh.exeH vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.331764576.0000000006D70000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.331764576.0000000006D70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs REQUEST FOR OFFER.exe
Source: REQUEST FOR OFFER.exe	Binary or memory string: OriginalFilenameFresh.exeH vs REQUEST FOR OFFER.exe

Uses 32bit PE files

Source: REQUEST FOR OFFER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses reg.exe to modify the Windows registry

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'

Source: 15.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/5@0/0

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File created: C:\Users\user\AppData\Roaming\badman.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_01

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: REQUEST FOR OFFER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: REQUEST FOR OFFER.exe

ReversingLabs: Detection: 35%

Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-32
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-24
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-administrator-50
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-48
Source: badman.exe	String found in binary or memory: icons8-add-administrator-50
Source: badman.exe	String found in binary or memory: icons8-add-48
Source: badman.exe	String found in binary or memory: icons8-add-32
Source: badman.exe	String found in binary or memory: icons8-add-24
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-24
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-32[
Source: REQUEST FOR OFFER.exe	String found in binary or memory: icons8-add-48
Source: REQUEST FOR OFFER.exe	String found in binary or memory: 6icons8-add-administrator-50

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File read: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\REQUEST FOR OFFER.exe 'C:\Users\user\Desktop\REQUEST FOR OFFER.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: REQUEST FOR OFFER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: REQUEST FOR OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000F.00000002.472909502.00000000005B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA6E9E push ecx; iretd	0_2_00BA6EA4
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA4E89 push 52BA5CE0h; ret	0_2_00BA4E8E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA56E4 push ebp; retf	0_2_00BA56E3
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA4008 push FFFFFFCBh; iretd	0_2_00BA4010
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA4A0C push es; retf	0_2_00BA4A1D
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA427E push esp; retf	0_2_00BA427F
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA67FF push 40907420h; ret	0_2_00BA6810
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA3F18 push FFFFFFCBh; iretd	0_2_00BA3F20
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA535E push edx; retf	0_2_00BA5367
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA4148 push edx; retf	0_2_00BA414F
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Code function: 0_2_00BA5D4C push FFFFFFFFh; retf	0_2_00BA5D4E
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE56E4 push ebp; retf	14_2_00EE56E3
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE4E89 push 52BA5CE0h; ret	14_2_00EE4E8E
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE6E9E push ecx; iretd	14_2_00EE6EA4
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE427E push esp; retf	14_2_00EE427F
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE4A0C push es; retf	14_2_00EE4A1D
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE4008 push FFFFFFCBh; iretd	14_2_00EE4010
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE67FF push 40907420h; ret	14_2_00EE6810
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE5D4C push FFFFFFFFh; retf	14_2_00EE5D4E
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE4148 push edx; retf	14_2_00EE414F
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE535E push edx; retf	14_2_00EE5367
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_00EE3F18 push FFFFFFCBh; iretd	14_2_00EE3F20
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07197E84 push ecx; iretd	14_2_07197E86
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_07191BDA push ecx; ret	14_2_07191BDE
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09ACECD2 push ebx; ret	14_2_09ACECDB
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 14_2_09AC9FC8 push edi; ret	14_2_09AC9FE9

Source: REQUEST FOR OFFER.exe, p5M/y9B.cs	High entropy of concatenated method names: '.ctor', 'Ht4', 's2Y', 'i6Y', 'a1C', 'q7A', 's3K', 'w8A', 'Br5', 'Gs4'
Source: badman.exe.0.dr, p5M/y9B.cs	High entropy of concatenated method names: '.ctor', 'Ht4', 's2Y', 'i6Y', 'a1C', 'q7A', 's3K', 'w8A', 'Br5', 'Gs4'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File created: C:\Users\user\AppData\Roaming\badman.exe			Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe			Jump to dropped file

Boot Survival:

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	File opened: C:\Users\user\Desktop\REQUEST FOR OFFER.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match

File source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Window / User API: threadDelayed 2402	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Window / User API: threadDelayed 7343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Window / User API: threadDelayed 618	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Window / User API: threadDelayed 9155	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 9556	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5828	Thread sleep count: 2402 > 30	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5828	Thread sleep count: 7343 > 30	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe TID: 5888	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 1968	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 5872	Thread sleep count: 618 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 5872	Thread sleep count: 9155 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 1968	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5036	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6084	Thread sleep count: 263 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6084	Thread sleep count: 9556 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5036	Thread sleep count: 39 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Last function: Thread delayed

Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: REQUEST FOR OFFER.exe, 00000000.00000002.327847947.00000000033C5000.00000004.00000001.sdmp, badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: badman.exe, 0000000E.00000002.417906722.000000000335C000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device
Source: badman.exe, 0000000E.00000002.415907828.00000000016AE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: REQUEST FOR OFFER.exe, 00000000.00000002.330640897.0000000005FA0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000F.00000002.483211695.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\badman.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\badman.exe

Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 756008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: InstallUtil.exe, 0000000F.00000002.477401002.0000000001390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Users\user\Desktop\REQUEST FOR OFFER.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Users\user\AppData\Roaming\badman.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Code function: 15_2_05C22654 GetUserNameW,

15_2_05C22654

Source: C:\Users\user\Desktop\REQUEST FOR OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
Source: Yara match	File source: Process Memory Space: badman.exe PID: 5900, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4c9e3d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bfb8ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4b8f12a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4c9e3d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4b8f12a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bc54fa.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bfb8ba.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bc54fa.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.raw.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0000000E.00000002.423799814.0000000004AF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.424117469.0000000004C68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328242176.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.423910607.0000000004B58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328670808.0000000004948000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.477839397.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.472316965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR OFFER.exe PID: 4156, type: MEMORY
Source: Yara match	File source: Process Memory Space: badman.exe PID: 5900, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1936, type: MEMORY
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4c9e3d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bfb8ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4b8f12a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48a5bb2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.497ea88.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4c9e3d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4b8f12a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bc54fa.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bfb8ba.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.48dbf72.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.badman.exe.4bc54fa.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.486f7e2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR OFFER.exe.49486d2.6.raw.unpack, type: UNPACKEDPE

ID:	356550
Product:	CloudBasic
Start time:	09:58:47
Start date:	23.02.2021
Sample:	REQUEST FOR OFFER.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0fc3feecc0164c588f7afab6e51d566b
SHA1:	60115fc27261ecf866c1900d3d5f59520a2ab65a
SHA256:	b5a2fbfeb80e2e92039a23615df8b8f63f42d1331528f514b312d4946dc22607
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REQUEST FOR OFFER.exe.log	ASCII text, with CRLF line terminators	1F3BB210B09FE31192C6A822966919E9	A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F	C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\badman.exe.log	ASCII text, with CRLF line terminators	1F3BB210B09FE31192C6A822966919E9	A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F	C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	EFEC8C379D165E3F33B536739AEE26A3	C875908ACBA5CAC1E0B40F06A83F0F156A2640FA	46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
C:\Users\user\AppData\Roaming\badman.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0FC3FEECC0164C588F7AFAB6E51D566B	60115FC27261ECF866C1900D3D5F59520A2AB65A	B5A2FBFEB80E2E92039A23615DF8B8F63F42D1331528F514B312D4946DC22607
C:\Users\user\AppData\Roaming\badman.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report REQUEST FOR OFFER.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map