Analysis Report PO AAN2102002-V020.doc

Overview

General Information

Sample Name: PO AAN2102002-V020.doc
Analysis ID: 357103
MD5: 71e541e756ee25fb690431d271d26e47
SHA1: f7f6c91b2673d889035e3d542aa47c95130d9273
SHA256: b3104dab0a4fd156fd26e66c494970ba11bc2e954b62d7bb23a618ae7519d1b9
Tags: doc
Infos:

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Yara detected Nanocore RAT
Connects to a URL shortener service
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: PO AAN2102002-V020.doc ReversingLabs: Detection: 27%
Yara detected Nanocore RAT
Source: Yara match File source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Source: Yara match File source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.RegAsm.exe.90000.2.unpack Avira: Label: TR/NanoCore.fadte

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.5.dr
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000005.00000002.2342579260.0000000000220000.00000002.00000001.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bit.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 67.199.248.10:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 194.5.98.182:3765
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 194.5.98.182:3765
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 194.5.98.182:3765
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 194.5.98.182:3765
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 194.5.98.182:3765
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 194.5.98.182:3765
Connects to a URL shortener service
Source: unknown DNS query: name: bit.ly
Source: unknown DNS query: name: bit.ly
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 194.5.98.182:3765
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.199.248.10 67.199.248.10
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /3pNzHgj HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{784442AB-DE8E-4300-98F0-AE5841A8170E}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /3pNzHgj HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: bit.ly
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: taskeng.exe, 0000000D.00000002.2342784593.0000000001B60000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: taskeng.exe, 0000000D.00000002.2342784593.0000000001B60000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: https://cbavwq.bl.files.1drv.com/DQ
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: https://cbavwq.bl.files.1drv.com/O
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.2354281853.0000000000A86000.00000004.00000020.sdmp String found in binary or memory: https://cbavwq.bl.files.1drv.com/y4m3v2kEpIV8FbxWjD8IYOSGc9eY7yGumgM5fcT1ikVolWrnqtFykMCYtt6EVe-wNwa
Source: RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, RegAsm.exe, 00000005.00000002.2342821040.0000000000562000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21106&authkey=AHaSu1X
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: 3pNzHgj[1].htm.2.dr String found in binary or memory: https://u.teknik.io/TFppy.txt
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: RegAsm.exe, 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Source: Yara match File source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE
Drops certificate files (DER)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.80000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\TFppy[1].txt Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\69577.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\subfolder1\filename1.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\69577.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\69577.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0056700D NtProtectVirtualMemory, 5_2_0056700D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0056700B LoadLibraryA,NtProtectVirtualMemory, 5_2_0056700B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566FCB NtProtectVirtualMemory,CreateThread, 5_2_00566FCB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566FB1 NtProtectVirtualMemory, 5_2_00566FB1
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566599 5_2_00566599
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C438C8 5_2_00C438C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C498F0 5_2_00C498F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C48C98 5_2_00C48C98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C49C03 5_2_00C49C03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C42418 5_2_00C42418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C4B5C0 5_2_00C4B5C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C430E7 5_2_00C430E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C43020 5_2_00C43020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00C499B7 5_2_00C499B7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 14_2_005501B7 14_2_005501B7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 17_2_002101B7 17_2_002101B7
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409851 19_2_00409851
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_0040987E 19_2_0040987E
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409828 19_2_00409828
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_004098D6 19_2_004098D6
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_0040990A 19_2_0040990A
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409932 19_2_00409932
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_004099DD 19_2_004099DD
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_0040998E 19_2_0040998E
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_004099B7 19_2_004099B7
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409A62 19_2_00409A62
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409A09 19_2_00409A09
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409AC1 19_2_00409AC1
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409AF2 19_2_00409AF2
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409A94 19_2_00409A94
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409B48 19_2_00409B48
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_0040976B 19_2_0040976B
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409B1E 19_2_00409B1E
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409739 19_2_00409739
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409BC3 19_2_00409BC3
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_004097CB 19_2_004097CB
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_004093F4 19_2_004093F4
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_004097FA 19_2_004097FA
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00409798 19_2_00409798
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_00405934 19_2_00405934
PE file contains strange resources
Source: filename1.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.80000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.80000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@16/25@6/3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Program Files (x86)\SMTP Service Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$ AAN2102002-V020.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRB605.tmp Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................).........E.R.R.O.R.:. ...t...............T...............................................h. .......................)..... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................).........E.R.R.O.(.P.....t...............T.......................................................X.......h.'.......)..... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................................8.......(.P.............t.......T.......e.................................................................(..... Jump to behavior
Source: C:\Users\Public\69577.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO AAN2102002-V020.doc ReversingLabs: Detection: 27%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp678.tmp'
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: unknown Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp678.tmp' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: PO AAN2102002-V020.doc Static file information: File size 1297796 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.5.dr
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000005.00000002.2342579260.0000000000220000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.2342821040.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_003E5E25 push esp; retf 5_2_003E5E26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_003E9D68 pushad ; retf 5_2_003E9D69
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_003E9D64 push eax; retf 5_2_003E9D65
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_003E74A8 push ebp; ret 5_2_003E74A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_003E749C push ecx; ret 5_2_003E749D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_003E9880 push ecx; retf 003Eh 5_2_003E98A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566C41 push eax; ret 5_2_00566C87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566C27 push eax; ret 5_2_00566C87
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 14_2_0028A120 push 7B2DC3FCh; ret 14_2_0028A19D
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_0040E4E3 push ecx; ret 19_2_0040E543
Source: C:\Users\user\subfolder1\filename1.exe Code function: 19_2_0040BE2F push esi; ret 19_2_0040BE41

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\TFppy[1].txt Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1\filename1.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\TFppy[1].txt Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005674F1 CreateThread, 5_2_005674F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005643E9 InternetOpenA,InternetOpenUrlA, 5_2_005643E9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0056704C CreateThread, 5_2_0056704C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562C4B 5_2_00562C4B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00567063 CreateThread, 5_2_00567063
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562C69 5_2_00562C69
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00563019 5_2_00563019
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0056302B 5_2_0056302B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562CE3 5_2_00562CE3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005630EF 5_2_005630EF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562C97 5_2_00562C97
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00563092 5_2_00563092
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00567086 CreateThread, 5_2_00567086
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562C81 5_2_00562C81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005630B5 5_2_005630B5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562CB5 5_2_00562CB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562D73 5_2_00562D73
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562D02 5_2_00562D02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00563125 5_2_00563125
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562D2D 5_2_00562D2D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562DC5 5_2_00562DC5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562DEE 5_2_00562DEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562D8D 5_2_00562D8D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562DAA 5_2_00562DAA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562E4C 5_2_00562E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562E6D 5_2_00562E6D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562E1D 5_2_00562E1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562EC4 5_2_00562EC4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562EB2 5_2_00562EB2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562F71 5_2_00562F71
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562F0D 5_2_00562F0D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562FD2 5_2_00562FD2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562FC1 5_2_00562FC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566FCB NtProtectVirtualMemory,CreateThread, 5_2_00566FCB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562BF5 5_2_00562BF5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562F85 5_2_00562F85
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000327097 second address: 0000000000327097 instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000003239D5 second address: 00000000003239D5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F085CED7288h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F085CED7292h 0x0000001f test bx, FB3Ch 0x00000024 cmp bh, bh 0x00000026 pop ecx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F085CED7224h 0x0000002f jmp 00007F085CED7292h 0x00000031 push ss 0x00000032 pop ss 0x00000033 jmp 00007F085CED728Dh 0x00000035 push ecx 0x00000036 jmp 00007F085CED7292h 0x00000038 test dx, dx 0x0000003b call 00007F085CED72DFh 0x00000040 call 00007F085CED7298h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000320F13 second address: 0000000000320F13 instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000322D13 second address: 0000000000322D13 instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000003232EE second address: 00000000003232EE instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000560FE0 second address: 0000000000560FE0 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000561093 second address: 0000000000561093 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000561166 second address: 0000000000561166 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000561216 second address: 0000000000561216 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000564496 second address: 0000000000564496 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000005645F2 second address: 00000000005645F2 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056220E second address: 000000000056220E instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000562398 second address: 000000000056243D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F085CF4DEA2h 0x0000000c cmp ax, 00002355h 0x00000010 call 00007F085CF4E4FBh 0x00000015 cmp dword ptr [edi+00000818h], 00000000h 0x0000001c je 00007F085CF4DF75h 0x00000022 ret 0x00000023 test edx, ecx 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b mov eax, dword ptr [eax+0Ch] 0x0000002e mov eax, dword ptr [eax+0Ch] 0x00000031 jmp 00007F085CF4DEA2h 0x00000033 test dx, dx 0x00000036 mov ecx, dword ptr [edi+00000808h] 0x0000003c jmp 00007F085CF4DE97h 0x0000003e mov dword ptr [eax+20h], ecx 0x00000041 jmp 00007F085CF4DEA2h 0x00000043 cmp ah, ch 0x00000045 mov esi, dword ptr [edi+00000800h] 0x0000004b jmp 00007F085CF4DEA2h 0x0000004d fnop 0x0000004f mov dword ptr [eax+18h], esi 0x00000052 add esi, dword ptr [edi+00000850h] 0x00000058 mov dword ptr [eax+1Ch], esi 0x0000005b jmp 00007F085CF4DEA2h 0x0000005d pushad 0x0000005e rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056243D second address: 00000000005624DF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F085CED7292h 0x0000000c cmp ax, 0000D992h 0x00000010 test edx, ecx 0x00000012 cmp dword ptr [ebp+70h], 01h 0x00000016 je 00007F085CED73FCh 0x0000001c mov esi, edi 0x0000001e add esi, 00001000h 0x00000024 xor ecx, ecx 0x00000026 push ecx 0x00000027 jmp 00007F085CED7292h 0x00000029 test dx, dx 0x0000002c push edi 0x0000002d mov eax, ebp 0x0000002f add eax, 0000009Ch 0x00000034 push eax 0x00000035 call 00007F085CED7915h 0x0000003a jmp 00007F085CED7292h 0x0000003c jmp 00007F085CED729Ah 0x0000003e test ch, ch 0x00000040 cmp dword ptr [esi+24h], E0000020h 0x00000047 je 00007F085CED7354h 0x0000004d cmp dword ptr [esi+24h], 60000020h 0x00000054 je 00007F085CED73C3h 0x0000005a mov ebx, 00000020h 0x0000005f jmp 00007F085CED7296h 0x00000061 ret 0x00000062 push ebx 0x00000063 jmp 00007F085CED7292h 0x00000065 cmp ah, ch 0x00000067 mov eax, esi 0x00000069 jmp 00007F085CED7292h 0x0000006b fnop 0x0000006d add eax, 08h 0x00000070 push eax 0x00000071 mov eax, dword ptr [edi+00000800h] 0x00000077 jmp 00007F085CED7292h 0x00000079 pushad 0x0000007a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000005624DF second address: 00000000005624DF instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000562599 second address: 0000000000562599 instructions:
Tries to detect Any.run
Source: C:\Users\Public\69577.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\Public\69577.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: U-GA\QEMU-GA.EXE
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000327097 second address: 0000000000327097 instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000003239D5 second address: 00000000003239D5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F085CED7288h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F085CED7292h 0x0000001f test bx, FB3Ch 0x00000024 cmp bh, bh 0x00000026 pop ecx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F085CED7224h 0x0000002f jmp 00007F085CED7292h 0x00000031 push ss 0x00000032 pop ss 0x00000033 jmp 00007F085CED728Dh 0x00000035 push ecx 0x00000036 jmp 00007F085CED7292h 0x00000038 test dx, dx 0x0000003b call 00007F085CED72DFh 0x00000040 call 00007F085CED7298h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000323C6A second address: 0000000000323C6A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F085CF50412h 0x0000001d popad 0x0000001e call 00007F085CF4DEDDh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000326A3C second address: 0000000000326B00 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f jmp 00007F085CED7292h 0x00000011 cmp bl, FFFFFFE7h 0x00000014 mov byte ptr [eax], FFFFFF90h 0x00000017 jmp 00007F085CED7292h 0x00000019 cmp ax, dx 0x0000001c mov eax, dword ptr [esp+1Ch] 0x00000020 mov byte ptr [eax], 0000006Ah 0x00000023 jmp 00007F085CED7292h 0x00000025 jmp 00007F085CED729Eh 0x00000027 mov byte ptr [eax+01h], 00000000h 0x0000002b mov byte ptr [eax+02h], FFFFFFB8h 0x0000002f jmp 00007F085CED7292h 0x00000031 test ax, cx 0x00000034 mov edx, dword ptr [ebp+0000013Ch] 0x0000003a mov dword ptr [eax+03h], edx 0x0000003d jmp 00007F085CED7292h 0x0000003f cmp dx, cx 0x00000042 jmp 00007F085CED7292h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000326B00 second address: 0000000000326BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [eax+07h], FFFFFFFFh 0x0000000f jmp 00007F085CF4DEA2h 0x00000011 cmp bl, 00000038h 0x00000014 mov byte ptr [eax+08h], FFFFFFD0h 0x00000018 jmp 00007F085CF4DEA2h 0x0000001a cmp ax, dx 0x0000001d mov byte ptr [eax+09h], FFFFFFC2h 0x00000021 mov byte ptr [eax+0Ah], 00000004h 0x00000025 mov byte ptr [eax+0Bh], 00000000h 0x00000029 jmp 00007F085CF4DEA2h 0x0000002b jmp 00007F085CF4DEAEh 0x0000002d jmp 00007F085CF4DEA2h 0x0000002f test ax, cx 0x00000032 mov eax, ebx 0x00000034 jmp 00007F085CF4DEA2h 0x00000036 cmp dx, cx 0x00000039 add eax, dword ptr [esp+08h] 0x0000003d jmp 00007F085CF4DEA2h 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000326BBF second address: 0000000000326BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ebx 0x0000000c cmp ebx, eax 0x0000000e je 00007F085CED74A5h 0x00000014 jmp 00007F085CED7292h 0x00000016 cmp bl, 00000041h 0x00000019 cmp byte ptr [ebx], FFFFFFB8h 0x0000001c jne 00007F085CED723Eh 0x0000001e jmp 00007F085CED7292h 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 000000000032767F second address: 00000000003276BA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [edi+00005000h] 0x00000011 cmp dword ptr [eax+04h], 00000000h 0x00000015 jne 00007F085CF4DFE6h 0x0000001b cmp dword ptr [eax+08h], 00000000h 0x0000001f jne 00007F085CF4DFDCh 0x00000025 jmp 00007F085CF4DEA2h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000320F13 second address: 0000000000320F13 instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000322D13 second address: 0000000000322D13 instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000003232EE second address: 00000000003232EE instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000563C6A second address: 0000000000563C6A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F085CF50412h 0x0000001d popad 0x0000001e call 00007F085CF4DEDDh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000566A3C second address: 0000000000566B00 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f jmp 00007F085CED7292h 0x00000011 cmp bl, FFFFFFE7h 0x00000014 mov byte ptr [eax], FFFFFF90h 0x00000017 jmp 00007F085CED7292h 0x00000019 cmp ax, dx 0x0000001c mov eax, dword ptr [esp+1Ch] 0x00000020 mov byte ptr [eax], 0000006Ah 0x00000023 jmp 00007F085CED7292h 0x00000025 jmp 00007F085CED729Eh 0x00000027 mov byte ptr [eax+01h], 00000000h 0x0000002b mov byte ptr [eax+02h], FFFFFFB8h 0x0000002f jmp 00007F085CED7292h 0x00000031 test ax, cx 0x00000034 mov edx, dword ptr [ebp+0000013Ch] 0x0000003a mov dword ptr [eax+03h], edx 0x0000003d jmp 00007F085CED7292h 0x0000003f cmp dx, cx 0x00000042 jmp 00007F085CED7292h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000566B00 second address: 0000000000566BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [eax+07h], FFFFFFFFh 0x0000000f jmp 00007F085CF4DEA2h 0x00000011 cmp bl, 00000038h 0x00000014 mov byte ptr [eax+08h], FFFFFFD0h 0x00000018 jmp 00007F085CF4DEA2h 0x0000001a cmp ax, dx 0x0000001d mov byte ptr [eax+09h], FFFFFFC2h 0x00000021 mov byte ptr [eax+0Ah], 00000004h 0x00000025 mov byte ptr [eax+0Bh], 00000000h 0x00000029 jmp 00007F085CF4DEA2h 0x0000002b jmp 00007F085CF4DEAEh 0x0000002d jmp 00007F085CF4DEA2h 0x0000002f test ax, cx 0x00000032 mov eax, ebx 0x00000034 jmp 00007F085CF4DEA2h 0x00000036 cmp dx, cx 0x00000039 add eax, dword ptr [esp+08h] 0x0000003d jmp 00007F085CF4DEA2h 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000566BBF second address: 0000000000566BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ebx 0x0000000c cmp ebx, eax 0x0000000e je 00007F085CED74A5h 0x00000014 jmp 00007F085CED7292h 0x00000016 cmp bl, 00000041h 0x00000019 cmp byte ptr [ebx], FFFFFFB8h 0x0000001c jne 00007F085CED723Eh 0x0000001e jmp 00007F085CED7292h 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056767F second address: 00000000005676BA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [edi+00005000h] 0x00000011 cmp dword ptr [eax+04h], 00000000h 0x00000015 jne 00007F085CF4DFE6h 0x0000001b cmp dword ptr [eax+08h], 00000000h 0x0000001f jne 00007F085CF4DFDCh 0x00000025 jmp 00007F085CF4DEA2h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000560FE0 second address: 0000000000560FE0 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000561093 second address: 0000000000561093 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000561166 second address: 0000000000561166 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000561216 second address: 0000000000561216 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000564496 second address: 0000000000564496 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000005645F2 second address: 00000000005645F2 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056220E second address: 000000000056220E instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000562398 second address: 000000000056243D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F085CF4DEA2h 0x0000000c cmp ax, 00002355h 0x00000010 call 00007F085CF4E4FBh 0x00000015 cmp dword ptr [edi+00000818h], 00000000h 0x0000001c je 00007F085CF4DF75h 0x00000022 ret 0x00000023 test edx, ecx 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b mov eax, dword ptr [eax+0Ch] 0x0000002e mov eax, dword ptr [eax+0Ch] 0x00000031 jmp 00007F085CF4DEA2h 0x00000033 test dx, dx 0x00000036 mov ecx, dword ptr [edi+00000808h] 0x0000003c jmp 00007F085CF4DE97h 0x0000003e mov dword ptr [eax+20h], ecx 0x00000041 jmp 00007F085CF4DEA2h 0x00000043 cmp ah, ch 0x00000045 mov esi, dword ptr [edi+00000800h] 0x0000004b jmp 00007F085CF4DEA2h 0x0000004d fnop 0x0000004f mov dword ptr [eax+18h], esi 0x00000052 add esi, dword ptr [edi+00000850h] 0x00000058 mov dword ptr [eax+1Ch], esi 0x0000005b jmp 00007F085CF4DEA2h 0x0000005d pushad 0x0000005e rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056243D second address: 00000000005624DF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F085CED7292h 0x0000000c cmp ax, 0000D992h 0x00000010 test edx, ecx 0x00000012 cmp dword ptr [ebp+70h], 01h 0x00000016 je 00007F085CED73FCh 0x0000001c mov esi, edi 0x0000001e add esi, 00001000h 0x00000024 xor ecx, ecx 0x00000026 push ecx 0x00000027 jmp 00007F085CED7292h 0x00000029 test dx, dx 0x0000002c push edi 0x0000002d mov eax, ebp 0x0000002f add eax, 0000009Ch 0x00000034 push eax 0x00000035 call 00007F085CED7915h 0x0000003a jmp 00007F085CED7292h 0x0000003c jmp 00007F085CED729Ah 0x0000003e test ch, ch 0x00000040 cmp dword ptr [esi+24h], E0000020h 0x00000047 je 00007F085CED7354h 0x0000004d cmp dword ptr [esi+24h], 60000020h 0x00000054 je 00007F085CED73C3h 0x0000005a mov ebx, 00000020h 0x0000005f jmp 00007F085CED7296h 0x00000061 ret 0x00000062 push ebx 0x00000063 jmp 00007F085CED7292h 0x00000065 cmp ah, ch 0x00000067 mov eax, esi 0x00000069 jmp 00007F085CED7292h 0x0000006b fnop 0x0000006d add eax, 08h 0x00000070 push eax 0x00000071 mov eax, dword ptr [edi+00000800h] 0x00000077 jmp 00007F085CED7292h 0x00000079 pushad 0x0000007a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000005624DF second address: 00000000005624DF instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000562599 second address: 0000000000562599 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005674F1 rdtsc 5_2_005674F1
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1916 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1916 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2984 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 152 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1976 Thread sleep time: -80000s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2300 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 532 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 1840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior
Source: RegAsm.exe Binary or memory string: u-ga\qemu-ga.exe
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\Public\69577.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\Public\69577.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005674F1 rdtsc 5_2_005674F1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00564845 LdrInitializeThunk, 5_2_00564845
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566852 mov eax, dword ptr fs:[00000030h] 5_2_00566852
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00565851 mov eax, dword ptr fs:[00000030h] 5_2_00565851
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005668D5 mov eax, dword ptr fs:[00000030h] 5_2_005668D5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005668C1 mov eax, dword ptr fs:[00000030h] 5_2_005668C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566899 mov eax, dword ptr fs:[00000030h] 5_2_00566899
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00566888 mov eax, dword ptr fs:[00000030h] 5_2_00566888
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00565D79 mov eax, dword ptr fs:[00000030h] 5_2_00565D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005637B7 mov eax, dword ptr fs:[00000030h] 5_2_005637B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_005637BD mov eax, dword ptr fs:[00000030h] 5_2_005637BD
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\Public\69577.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 560000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp678.tmp' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 Jump to behavior
Source: taskeng.exe, 0000000D.00000002.2342665545.0000000000760000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.2347995160.0000000000960000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: taskeng.exe, 0000000D.00000002.2342665545.0000000000760000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.2347995160.0000000000960000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: taskeng.exe, 0000000D.00000002.2342665545.0000000000760000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.2347995160.0000000000960000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00562FD2 cpuid 5_2_00562FD2
Source: C:\Users\Public\69577.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Source: Yara match File source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: RegAsm.exe, 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Source: Yara match File source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357103 Sample: PO AAN2102002-V020.doc Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 16 other signatures 2->63 8 EQNEDT32.EXE 17 2->8         started        13 taskeng.exe 1 2->13         started        15 WINWORD.EXE 291 28 2->15         started        17 3 other processes 2->17 process3 dnsIp4 45 67.199.248.10, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 8->45 47 teknik.io 5.79.72.163, 443, 49166 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 8->47 49 2 other IPs or domains 8->49 33 C:\Users\user\AppData\Local\...\TFppy[1].txt, PE32 8->33 dropped 35 C:\Users\Public\69577.exe, PE32 8->35 dropped 73 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->73 19 69577.exe 1 8->19         started        22 smtpsvc.exe 2 13->22         started        file5 signatures6 process7 signatures8 65 Writes to foreign memory regions 19->65 67 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 19->67 69 Tries to detect Any.run 19->69 71 2 other signatures 19->71 24 RegAsm.exe 2 23 19->24         started        process9 dnsIp10 51 194.5.98.182, 3765, 49171, 49172 DANILENKODE Netherlands 24->51 53 onedrive.live.com 24->53 55 2 other IPs or domains 24->55 37 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 24->37 dropped 39 C:\Users\user\AppData\Local\...\tmp1A35.tmp, XML 24->39 dropped 41 C:\Users\user\subfolder1\filename1.exe, PE32 24->41 dropped 43 C:\Program Files (x86)\...\smtpsvc.exe, PE32 24->43 dropped 75 Contains functionality to detect hardware virtualization (CPUID execution measurement) 24->75 77 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 24->77 79 Tries to detect Any.run 24->79 81 3 other signatures 24->81 29 schtasks.exe 24->29         started        31 schtasks.exe 24->31         started        file11 signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.98.182
 unknown Netherlands
208476 DANILENKODE true
67.199.248.10
 unknown United States
396982 GOOGLE-PRIVATE-CLOUDUS true
5.79.72.163
 unknown Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL false

Contacted Domains

Name IP Active
bit.ly 67.199.248.11 true
teknik.io 5.79.72.163 true
onedrive.live.com unknown unknown
cbavwq.bl.files.1drv.com unknown unknown
u.teknik.io unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://bit.ly/3pNzHgj false
    		high