Analysis Report PO45678.exe

Overview

General Information

Sample Name:	PO45678.exe
Analysis ID:	358415
MD5:	0f3ca465173914c361362a754a6bf65e
SHA1:	46dded33d12784afe77619a20ee65d1939f881b0
SHA256:	400b1bf4c7139f7df22748d627aeb7789dd409ae463a0f8fb7d6fa243065d140
Tags:	exeHostgator
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains very large array initializations

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.PO45678.exe.3e8b7da.6.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "box@alscotop.comgodisgreatmail.privateemail.com"}

Multi AV Scanner detection for submitted file

Source: PO45678.exe

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: PO45678.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.InstallUtil.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: PO45678.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: PO45678.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000002.490827482.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdbJ source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp
Source:	Binary string: InstallUtil.pdb source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08B43AC0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_08B43D88
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B43D88
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_08B440A8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B440A8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08B43288
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_08B43D7E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B43D7E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then xor edx, edx	0_2_08B43FE0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then xor edx, edx	0_2_08B43FD4
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_08B4409C
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B4409C
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08B460E4
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_08B4404A
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B4404A
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08B434A4

Source: unknown

DNS traffic detected: queries for: mail.privateemail.com

Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://SEqkTC.com
Source: InstallUtil.exe, 00000004.00000002.499962081.0000000006BB0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.c
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 00000004.00000002.500007006.0000000006BDD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: PO45678.exe, 00000000.00000003.244413137.0000000008EF3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: PO45678.exe, 00000000.00000003.256003842.0000000008EFB000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g%%
Source: PO45678.exe, 00000000.00000003.236907309.0000000008EF3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g)
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp, InstallUtil.exe, 00000004.00000002.495545429.0000000003270000.00000004.00000001.sdmp	String found in binary or memory: http://oAv8kfbDtujMAmvvMu95.org
Source: InstallUtil.exe, 00000004.00000002.499962081.0000000006BB0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: PO45678.exe, 00000000.00000003.243870620.0000000000966000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: PO45678.exe, 00000000.00000002.258461700.00000000024C2000.00000004.00000001.sdmp, PO45678.exe, 00000000.00000002.258539906.00000000024D8000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: PO45678.exe, 00000000.00000002.258342945.0000000002491000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%H
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: PO45678.exe, 00000000.00000002.258342945.0000000002491000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: PO45678.exe, 00000000.00000002.258342945.0000000002491000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: PO45678.exe, 00000000.00000002.262870817.0000000003D1A000.00000004.00000001.sdmp, InstallUtil.exe, 00000004.00000002.490156222.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: PO45678.exe, 00000000.00000002.257035836.0000000000890000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 4.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b0140664Du002d00B4u002d412Eu002d8482u002dE3247254E749u007d/AC89D138u002dBE2Eu002d48F8u002d99B9u002dA10B61AE75F1.cs

Large array initialization: .cctor: array initializer size 11952

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\PO45678.exe

Code function: 0_2_0451201C CreateProcessAsUserW,

0_2_0451201C

Detected potential crypto function

Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04515C48	0_2_04515C48
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04518072	0_2_04518072
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04512478	0_2_04512478
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04514189	0_2_04514189
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04512E6E	0_2_04512E6E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0451AA81	0_2_0451AA81
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0451637A	0_2_0451637A
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_045174F0	0_2_045174F0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_045174E0	0_2_045174E0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04518CB8	0_2_04518CB8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04518CA7	0_2_04518CA7
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04517958	0_2_04517958
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04517968	0_2_04517968
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04519938	0_2_04519938
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0451B6B0	0_2_0451B6B0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04511319	0_2_04511319
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06222E20	0_2_06222E20
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06223680	0_2_06223680
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06220E98	0_2_06220E98
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06224F60	0_2_06224F60
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06229FB0	0_2_06229FB0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622E788	0_2_0622E788
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622EC30	0_2_0622EC30
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622B810	0_2_0622B810
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062240D2	0_2_062240D2
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06220950	0_2_06220950
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06226A32	0_2_06226A32
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06222E11	0_2_06222E11
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622A261	0_2_0622A261
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622A270	0_2_0622A270
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06224E78	0_2_06224E78
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06225E78	0_2_06225E78
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06226A40	0_2_06226A40
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06224EBD	0_2_06224EBD
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06225E88	0_2_06225E88
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06221E90	0_2_06221E90
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227308	0_2_06227308
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227318	0_2_06227318
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227768	0_2_06227768
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06223B80	0_2_06223B80
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622C3C0	0_2_0622C3C0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622B008	0_2_0622B008
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062270E0	0_2_062270E0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062270D0	0_2_062270D0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227580	0_2_06227580
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622F188	0_2_0622F188
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227590	0_2_06227590
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4CF70	0_2_08B4CF70
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B46F60	0_2_08B46F60
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B482B8	0_2_08B482B8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4B560	0_2_08B4B560
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B44860	0_2_08B44860
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B44850	0_2_08B44850
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4EEB8	0_2_08B4EEB8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B44E10	0_2_08B44E10
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B44E00	0_2_08B44E00
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4CF60	0_2_08B4CF60
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B46F50	0_2_08B46F50
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B482A8	0_2_08B482A8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B472FA	0_2_08B472FA
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B472E5	0_2_08B472E5
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4822E	0_2_08B4822E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4739E	0_2_08B4739E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B47389	0_2_08B47389
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B49370	0_2_08B49370
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B49360	0_2_08B49360
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B47428	0_2_08B47428
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B47413	0_2_08B47413
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4B550	0_2_08B4B550
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B496F6	0_2_08B496F6
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00C820B0	4_2_00C820B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF21D0	4_2_00DF21D0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DFE1C0	4_2_00DFE1C0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF8120	4_2_00DF8120
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF6650	4_2_00DF6650
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF8200	4_2_00DF8200
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF3708	4_2_00DF3708
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF78B8	4_2_00DF78B8

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB

Sample file is different than original file name gathered from version info

Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameInstallUtil.exeT vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.262753091.0000000003498000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.263166955.0000000004520000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.257035836.0000000000890000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.264500771.0000000005ED0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.262927323.0000000003D7D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIobwYHdtWDofwYxNGTKfRbZXkCNIJuWdMua.exe4 vs PO45678.exe

Uses 32bit PE files

Source: PO45678.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 4.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/0

Source: C:\Users\user\Desktop\PO45678.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO45678.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe

File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: PO45678.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO45678.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO45678.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO45678.exe

ReversingLabs: Detection: 21%

Source: PO45678.exe	String found in binary or memory: icons8-add-24
Source: PO45678.exe	String found in binary or memory: icons8-add-32
Source: PO45678.exe	String found in binary or memory: icons8-add-48
Source: PO45678.exe	String found in binary or memory: icons8-add-administrator-50
Source: PO45678.exe	String found in binary or memory: icons8-add-24
Source: PO45678.exe	String found in binary or memory: icons8-add-32[
Source: PO45678.exe	String found in binary or memory: icons8-add-48
Source: PO45678.exe	String found in binary or memory: 6icons8-add-administrator-50

Source: unknown	Process created: C:\Users\user\Desktop\PO45678.exe 'C:\Users\user\Desktop\PO45678.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\PO45678.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO45678.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO45678.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000002.490827482.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdbJ source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp
Source:	Binary string: InstallUtil.pdb source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A581C push ecx; retf	0_2_000A5823
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A5824 push esi; retf	0_2_000A5833
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A2638 push ds; retf	0_2_000A27D0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A4C9F push edi; iretd	0_2_000A4CAE
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A52AD push esp; ret	0_2_000A52AE
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A56FC push cs; retf	0_2_000A5701
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A32FD pushad ; iretd	0_2_000A3302
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A4F52 push esp; ret	0_2_000A4F59
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A5757 push cs; retf	0_2_000A57B1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A579F push ds; retf	0_2_000A57A1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A37C9 push edx; ret	0_2_000A37D1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A57C7 push ecx; retf	0_2_000A57D1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A2FD7 push 76AD6F7Eh; iretd	0_2_000A2FDC
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A37EA push edi; ret	0_2_000A37F1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227A74 push ecx; iretd	0_2_06227A76
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062217D2 push ecx; ret	0_2_062217D6
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622296F push es; iretd	0_2_062229F0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062229AA push es; iretd	0_2_062229B4
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062229B5 push es; iretd	0_2_062229F0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B49EA3 push edi; ret	0_2_08B49EC9
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B451FF push eax; retn 0023h	0_2_08B45200
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4D342 push ebx; ret	0_2_08B4D34B
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DFE918 pushfd ; iretd	4_2_00DFE961
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DFC902 push 8BFFFFFFh; retf	4_2_00DFC908
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DFD3BF pushad ; retf	4_2_00DFD3CD
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF4FB5 push edx; retf 005Bh	4_2_00DF4FBB

Source: PO45678.exe, Cm15/Ft4q.cs	High entropy of concatenated method names: '.ctor', 't6ZG', 'Nb56', 'w0X2', 'm6Z1', 'Yo3j', 'm2G0', 'My05', 'Jb5e', 'Ya42'
Source: PO45678.exe, Jy4/Po0.cs	High entropy of concatenated method names: '.ctor', 'Cs1', 'Da1', 'Ak0', 'p9H', 'g3B', 'Dq9', 't7R', 'To3', 'Sx1'
Source: PO45678.exe, Dj51/Jy35.cs	High entropy of concatenated method names: '.ctor', 'w9HT', 'n0L', 'k2S', 'g6G', 'a5X', 'p1Q', 'Se5', 'd5M', 'Qq2'
Source: 0.0.PO45678.exe.a0000.0.unpack, Cm15/Ft4q.cs	High entropy of concatenated method names: '.ctor', 't6ZG', 'Nb56', 'w0X2', 'm6Z1', 'Yo3j', 'm2G0', 'My05', 'Jb5e', 'Ya42'
Source: 0.0.PO45678.exe.a0000.0.unpack, Jy4/Po0.cs	High entropy of concatenated method names: '.ctor', 'Cs1', 'Da1', 'Ak0', 'p9H', 'g3B', 'Dq9', 't7R', 'To3', 'Sx1'
Source: 0.0.PO45678.exe.a0000.0.unpack, Dj51/Jy35.cs	High entropy of concatenated method names: '.ctor', 'w9HT', 'n0L', 'k2S', 'g6G', 'a5X', 'p1Q', 'Se5', 'd5M', 'Qq2'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\PO45678.exe

File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\PO45678.exe

File opened: C:\Users\user\Desktop\PO45678.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PO45678.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 4264			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 5459			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PO45678.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe TID: 6472	Thread sleep count: 228 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe TID: 6472	Thread sleep count: 104 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe TID: 6452	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe TID: 6416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 964	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4496	Thread sleep count: 4264 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4496	Thread sleep count: 5459 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 964	Thread sleep count: 36 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: InstallUtil.exe, 00000004.00000002.499349173.0000000006150000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: InstallUtil.exe, 00000004.00000002.499962081.0000000006BB0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: InstallUtil.exe, 00000004.00000002.499349173.0000000006150000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: InstallUtil.exe, 00000004.00000002.499349173.0000000006150000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device
Source: InstallUtil.exe, 00000004.00000002.499349173.0000000006150000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO45678.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Code function: 4_2_00DF3708 LdrInitializeThunk,

4_2_00DF3708

Enables debug privileges

Source: C:\Users\user\Desktop\PO45678.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PO45678.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO45678.exe

Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: F6F008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO45678.exe

Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Users\user\Desktop\PO45678.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.262870817.0000000003D1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.490156222.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263060829.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262927323.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO45678.exe PID: 6392, type: MEMORY
Source: Yara match	File source: 0.2.PO45678.exe.3db3caa.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3de9b8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e8b7da.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e1fa5a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3ec1698.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3db3caa.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3ec1698.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3de9b8a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e8b7da.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e1fa5a.4.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.262870817.0000000003D1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.490156222.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263060829.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262927323.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO45678.exe PID: 6392, type: MEMORY
Source: Yara match	File source: 0.2.PO45678.exe.3db3caa.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3de9b8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e8b7da.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e1fa5a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3ec1698.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3db3caa.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3ec1698.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3de9b8a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e8b7da.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e1fa5a.4.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted Domains

Name	IP	Active
mail.privateemail.com	198.54.122.60	true

AV Detection:

Found malware configuration

Source: 0.2.PO45678.exe.3e8b7da.6.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "box@alscotop.comgodisgreatmail.privateemail.com"}

Multi AV Scanner detection for submitted file

Source: PO45678.exe

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: PO45678.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.InstallUtil.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: PO45678.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: PO45678.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000002.490827482.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdbJ source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp
Source:	Binary string: InstallUtil.pdb source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08B43AC0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_08B43D88
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B43D88
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_08B440A8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B440A8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08B43288
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_08B43D7E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B43D7E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then xor edx, edx	0_2_08B43FE0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then xor edx, edx	0_2_08B43FD4
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_08B4409C
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B4409C
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08B460E4
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_08B4404A
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08B4404A
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08B434A4

Source: unknown

DNS traffic detected: queries for: mail.privateemail.com

Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://SEqkTC.com
Source: InstallUtil.exe, 00000004.00000002.499962081.0000000006BB0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.c
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 00000004.00000002.500007006.0000000006BDD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: PO45678.exe, 00000000.00000003.244413137.0000000008EF3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: PO45678.exe, 00000000.00000003.256003842.0000000008EFB000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g%%
Source: PO45678.exe, 00000000.00000003.236907309.0000000008EF3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g)
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp, InstallUtil.exe, 00000004.00000002.495545429.0000000003270000.00000004.00000001.sdmp	String found in binary or memory: http://oAv8kfbDtujMAmvvMu95.org
Source: InstallUtil.exe, 00000004.00000002.499962081.0000000006BB0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: PO45678.exe, 00000000.00000003.243870620.0000000000966000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: PO45678.exe, 00000000.00000002.258461700.00000000024C2000.00000004.00000001.sdmp, PO45678.exe, 00000000.00000002.258539906.00000000024D8000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: PO45678.exe, 00000000.00000002.258342945.0000000002491000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%H
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: InstallUtil.exe, 00000004.00000002.495371195.0000000003245000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: PO45678.exe, 00000000.00000002.258342945.0000000002491000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: PO45678.exe, 00000000.00000002.258342945.0000000002491000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: PO45678.exe, 00000000.00000002.262870817.0000000003D1A000.00000004.00000001.sdmp, InstallUtil.exe, 00000004.00000002.490156222.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: PO45678.exe, 00000000.00000002.257035836.0000000000890000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Large array initialization: .cctor: array initializer size 11952

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\PO45678.exe

Code function: 0_2_0451201C CreateProcessAsUserW,

0_2_0451201C

Detected potential crypto function

Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04515C48	0_2_04515C48
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04518072	0_2_04518072
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04512478	0_2_04512478
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04514189	0_2_04514189
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04512E6E	0_2_04512E6E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0451AA81	0_2_0451AA81
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0451637A	0_2_0451637A
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_045174F0	0_2_045174F0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_045174E0	0_2_045174E0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04518CB8	0_2_04518CB8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04518CA7	0_2_04518CA7
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04517958	0_2_04517958
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04517968	0_2_04517968
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04519938	0_2_04519938
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0451B6B0	0_2_0451B6B0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_04511319	0_2_04511319
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06222E20	0_2_06222E20
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06223680	0_2_06223680
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06220E98	0_2_06220E98
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06224F60	0_2_06224F60
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06229FB0	0_2_06229FB0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622E788	0_2_0622E788
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622EC30	0_2_0622EC30
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622B810	0_2_0622B810
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062240D2	0_2_062240D2
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06220950	0_2_06220950
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06226A32	0_2_06226A32
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06222E11	0_2_06222E11
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622A261	0_2_0622A261
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622A270	0_2_0622A270
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06224E78	0_2_06224E78
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06225E78	0_2_06225E78
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06226A40	0_2_06226A40
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06224EBD	0_2_06224EBD
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06225E88	0_2_06225E88
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06221E90	0_2_06221E90
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227308	0_2_06227308
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227318	0_2_06227318
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227768	0_2_06227768
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06223B80	0_2_06223B80
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622C3C0	0_2_0622C3C0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622B008	0_2_0622B008
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062270E0	0_2_062270E0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062270D0	0_2_062270D0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227580	0_2_06227580
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622F188	0_2_0622F188
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227590	0_2_06227590
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4CF70	0_2_08B4CF70
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B46F60	0_2_08B46F60
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B482B8	0_2_08B482B8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4B560	0_2_08B4B560
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B44860	0_2_08B44860
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B44850	0_2_08B44850
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4EEB8	0_2_08B4EEB8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B44E10	0_2_08B44E10
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B44E00	0_2_08B44E00
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4CF60	0_2_08B4CF60
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B46F50	0_2_08B46F50
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B482A8	0_2_08B482A8
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B472FA	0_2_08B472FA
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B472E5	0_2_08B472E5
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4822E	0_2_08B4822E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4739E	0_2_08B4739E
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B47389	0_2_08B47389
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B49370	0_2_08B49370
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B49360	0_2_08B49360
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B47428	0_2_08B47428
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B47413	0_2_08B47413
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4B550	0_2_08B4B550
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B496F6	0_2_08B496F6
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00C820B0	4_2_00C820B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF21D0	4_2_00DF21D0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DFE1C0	4_2_00DFE1C0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF8120	4_2_00DF8120
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF6650	4_2_00DF6650
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF8200	4_2_00DF8200
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF3708	4_2_00DF3708
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF78B8	4_2_00DF78B8

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB

Sample file is different than original file name gathered from version info

Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameInstallUtil.exeT vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.262753091.0000000003498000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.263166955.0000000004520000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.257035836.0000000000890000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.264500771.0000000005ED0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO45678.exe
Source: PO45678.exe, 00000000.00000002.262927323.0000000003D7D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIobwYHdtWDofwYxNGTKfRbZXkCNIJuWdMua.exe4 vs PO45678.exe

Uses 32bit PE files

Source: PO45678.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 4.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/0

Source: C:\Users\user\Desktop\PO45678.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO45678.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe

File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: PO45678.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO45678.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO45678.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO45678.exe

ReversingLabs: Detection: 21%

Source: PO45678.exe	String found in binary or memory: icons8-add-24
Source: PO45678.exe	String found in binary or memory: icons8-add-32
Source: PO45678.exe	String found in binary or memory: icons8-add-48
Source: PO45678.exe	String found in binary or memory: icons8-add-administrator-50
Source: PO45678.exe	String found in binary or memory: icons8-add-24
Source: PO45678.exe	String found in binary or memory: icons8-add-32[
Source: PO45678.exe	String found in binary or memory: icons8-add-48
Source: PO45678.exe	String found in binary or memory: 6icons8-add-administrator-50

Source: unknown	Process created: C:\Users\user\Desktop\PO45678.exe 'C:\Users\user\Desktop\PO45678.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\PO45678.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO45678.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO45678.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000002.490827482.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdbJ source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp
Source:	Binary string: InstallUtil.pdb source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A581C push ecx; retf	0_2_000A5823
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A5824 push esi; retf	0_2_000A5833
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A2638 push ds; retf	0_2_000A27D0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A4C9F push edi; iretd	0_2_000A4CAE
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A52AD push esp; ret	0_2_000A52AE
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A56FC push cs; retf	0_2_000A5701
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A32FD pushad ; iretd	0_2_000A3302
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A4F52 push esp; ret	0_2_000A4F59
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A5757 push cs; retf	0_2_000A57B1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A579F push ds; retf	0_2_000A57A1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A37C9 push edx; ret	0_2_000A37D1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A57C7 push ecx; retf	0_2_000A57D1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A2FD7 push 76AD6F7Eh; iretd	0_2_000A2FDC
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_000A37EA push edi; ret	0_2_000A37F1
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_06227A74 push ecx; iretd	0_2_06227A76
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062217D2 push ecx; ret	0_2_062217D6
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_0622296F push es; iretd	0_2_062229F0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062229AA push es; iretd	0_2_062229B4
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_062229B5 push es; iretd	0_2_062229F0
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B49EA3 push edi; ret	0_2_08B49EC9
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B451FF push eax; retn 0023h	0_2_08B45200
Source: C:\Users\user\Desktop\PO45678.exe	Code function: 0_2_08B4D342 push ebx; ret	0_2_08B4D34B
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DFE918 pushfd ; iretd	4_2_00DFE961
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DFC902 push 8BFFFFFFh; retf	4_2_00DFC908
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DFD3BF pushad ; retf	4_2_00DFD3CD
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4_2_00DF4FB5 push edx; retf 005Bh	4_2_00DF4FBB

Source: PO45678.exe, Cm15/Ft4q.cs	High entropy of concatenated method names: '.ctor', 't6ZG', 'Nb56', 'w0X2', 'm6Z1', 'Yo3j', 'm2G0', 'My05', 'Jb5e', 'Ya42'
Source: PO45678.exe, Jy4/Po0.cs	High entropy of concatenated method names: '.ctor', 'Cs1', 'Da1', 'Ak0', 'p9H', 'g3B', 'Dq9', 't7R', 'To3', 'Sx1'
Source: PO45678.exe, Dj51/Jy35.cs	High entropy of concatenated method names: '.ctor', 'w9HT', 'n0L', 'k2S', 'g6G', 'a5X', 'p1Q', 'Se5', 'd5M', 'Qq2'
Source: 0.0.PO45678.exe.a0000.0.unpack, Cm15/Ft4q.cs	High entropy of concatenated method names: '.ctor', 't6ZG', 'Nb56', 'w0X2', 'm6Z1', 'Yo3j', 'm2G0', 'My05', 'Jb5e', 'Ya42'
Source: 0.0.PO45678.exe.a0000.0.unpack, Jy4/Po0.cs	High entropy of concatenated method names: '.ctor', 'Cs1', 'Da1', 'Ak0', 'p9H', 'g3B', 'Dq9', 't7R', 'To3', 'Sx1'
Source: 0.0.PO45678.exe.a0000.0.unpack, Dj51/Jy35.cs	High entropy of concatenated method names: '.ctor', 'w9HT', 'n0L', 'k2S', 'g6G', 'a5X', 'p1Q', 'Se5', 'd5M', 'Qq2'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\PO45678.exe

File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\PO45678.exe

File opened: C:\Users\user\Desktop\PO45678.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PO45678.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 4264			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 5459			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PO45678.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe TID: 6472	Thread sleep count: 228 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe TID: 6472	Thread sleep count: 104 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe TID: 6452	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe TID: 6416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 964	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4496	Thread sleep count: 4264 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4496	Thread sleep count: 5459 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 964	Thread sleep count: 36 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: InstallUtil.exe, 00000004.00000002.499349173.0000000006150000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: InstallUtil.exe, 00000004.00000002.499962081.0000000006BB0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: InstallUtil.exe, 00000004.00000002.499349173.0000000006150000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: InstallUtil.exe, 00000004.00000002.499349173.0000000006150000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO45678.exe, 00000000.00000002.257428591.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PO45678.exe, 00000000.00000002.258605320.0000000002543000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device
Source: InstallUtil.exe, 00000004.00000002.499349173.0000000006150000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO45678.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Code function: 4_2_00DF3708 LdrInitializeThunk,

4_2_00DF3708

Enables debug privileges

Source: C:\Users\user\Desktop\PO45678.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PO45678.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO45678.exe

Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: F6F008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO45678.exe

Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: InstallUtil.exe, 00000004.00000002.493947731.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Users\user\Desktop\PO45678.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO45678.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO45678.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.262870817.0000000003D1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.490156222.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263060829.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262927323.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO45678.exe PID: 6392, type: MEMORY
Source: Yara match	File source: 0.2.PO45678.exe.3db3caa.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3de9b8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e8b7da.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e1fa5a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3ec1698.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3db3caa.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3ec1698.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3de9b8a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e8b7da.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e1fa5a.4.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.262870817.0000000003D1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.494036078.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.490156222.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263060829.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262927323.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO45678.exe PID: 6392, type: MEMORY
Source: Yara match	File source: 0.2.PO45678.exe.3db3caa.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3de9b8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e8b7da.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e1fa5a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3ec1698.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3db3caa.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3ec1698.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3de9b8a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e8b7da.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO45678.exe.3e1fa5a.4.unpack, type: UNPACKEDPE

ID:	358415
Product:	CloudBasic
Start time:	15:36:25
Start date:	25.02.2021
Sample:	PO45678.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0f3ca465173914c361362a754a6bf65e
SHA1:	46dded33d12784afe77619a20ee65d1939f881b0
SHA256:	400b1bf4c7139f7df22748d627aeb7789dd409ae463a0f8fb7d6fa243065d140
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO45678.exe.log	ASCII text, with CRLF line terminators	1F3BB210B09FE31192C6A822966919E9	A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F	C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	EFEC8C379D165E3F33B536739AEE26A3	C875908ACBA5CAC1E0B40F06A83F0F156A2640FA	46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB

Analysis Report PO45678.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Domains