Analysis Report dd.exe

Overview

General Information

Sample Name: dd.exe
Analysis ID: 380091
MD5: 287073f3d2c3100ba375b7bf0db3b0d9
SHA1: 8e09353697169cd3caaf49a008d53ade63b25526
SHA256: f32f7005937b4c94ff31996fde6a0843c05bfb47458ad29a15ddf3fb70c435d2
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Potential malicious icon found
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates multiple autostart registry keys
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ Avira URL Cloud: Label: malware
Source: https://www.sogecoenergy.com/or/ag.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/or/ag.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/% Avira URL Cloud: Label: malware

Compliance:

barindex
Uses 32bit PE files
Source: dd.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49769 version: TLS 1.2

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49749 -> 79.134.225.109:6090
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.109 79.134.225.109
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown DNS traffic detected: queries for: www.sogecoenergy.com
Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp String found in binary or memory: http://aMDPVn.com
Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmp String found in binary or memory: http://r3.i.lencr.org/05
Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmp String found in binary or memory: http://www.yandex.com
Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: ieinstal.exe, 00000004.00000003.746499859.00000000036CB000.00000004.00000001.sdmp String found in binary or memory: https://ma.yandex.com/
Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmp String found in binary or memory: https://mariotessarollo.com/
Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmp String found in binary or memory: https://mariotessarollo.com/%
Source: RegAsm.exe String found in binary or memory: https://mariotessarollo.com/or/ag.bin
Source: RegAsm.exe, 0000000B.00000002.919392238.0000000000F01000.00000040.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin
Source: ieinstal.exe String found in binary or memory: https://mariotessarollo.com/ot/ot.bin
Source: ieinstal.exe, 00000004.00000002.935179958.0000000003251000.00000040.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin
Source: RegAsm.exe String found in binary or memory: https://www.sogecoenergy.com/or/ag.bin
Source: ieinstal.exe String found in binary or memory: https://www.sogecoenergy.com/ot/ot.bin
Source: ieinstal.exe String found in binary or memory: https://www.sogecoenergy.com/ota.bin
Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49769 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Contains functionality to call native functions
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160E24 NtWriteVirtualMemory, 0_2_02160E24
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021606D1 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA, 0_2_021606D1
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165AE2 NtProtectVirtualMemory, 0_2_02165AE2
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165F1D NtMapViewOfSection, 0_2_02165F1D
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216049A EnumWindows,NtSetInformationThread, 0_2_0216049A
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216261F NtWriteVirtualMemory, 0_2_0216261F
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162200 NtWriteVirtualMemory, 0_2_02162200
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166208 NtMapViewOfSection, 0_2_02166208
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160634 NtSetInformationThread, 0_2_02160634
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166223 NtMapViewOfSection, 0_2_02166223
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162250 NtWriteVirtualMemory, 0_2_02162250
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166243 NtMapViewOfSection, 0_2_02166243
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216164F NtSetInformationThread, 0_2_0216164F
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160678 NtSetInformationThread, 0_2_02160678
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162667 NtWriteVirtualMemory, 0_2_02162667
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166264 NtMapViewOfSection, 0_2_02166264
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165A92 NtProtectVirtualMemory, 0_2_02165A92
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216268F NtWriteVirtualMemory, 0_2_0216268F
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165A8D NtProtectVirtualMemory, 0_2_02165A8D
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021622B6 NtWriteVirtualMemory, 0_2_021622B6
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160ED4 NtWriteVirtualMemory, 0_2_02160ED4
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021622F0 NtWriteVirtualMemory, 0_2_021622F0
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216231C NtWriteVirtualMemory, 0_2_0216231C
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162F0C NtSetInformationThread, 0_2_02162F0C
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165F30 NtMapViewOfSection, 0_2_02165F30
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162350 NtWriteVirtualMemory, 0_2_02162350
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165F5A NtMapViewOfSection, 0_2_02165F5A
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165F78 NtMapViewOfSection, 0_2_02165F78
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162393 NtWriteVirtualMemory, 0_2_02162393
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165FA8 NtMapViewOfSection, 0_2_02165FA8
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021623D4 NtWriteVirtualMemory, 0_2_021623D4
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165FD8 NtMapViewOfSection, 0_2_02165FD8
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165FC8 NtMapViewOfSection, 0_2_02165FC8
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165FF4 NtMapViewOfSection, 0_2_02165FF4
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166010 NtMapViewOfSection, 0_2_02166010
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162424 NtWriteVirtualMemory, 0_2_02162424
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162452 NtWriteVirtualMemory, 0_2_02162452
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166040 NtMapViewOfSection, 0_2_02166040
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166068 NtMapViewOfSection, 0_2_02166068
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02164898 NtSetInformationThread, 0_2_02164898
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162487 NtWriteVirtualMemory, 0_2_02162487
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166088 NtMapViewOfSection, 0_2_02166088
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021660A6 NtMapViewOfSection, 0_2_021660A6
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021660D8 NtMapViewOfSection, 0_2_021660D8
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021660C4 NtMapViewOfSection, 0_2_021660C4
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021660FC NtMapViewOfSection, 0_2_021660FC
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021628E5 NtWriteVirtualMemory, 0_2_021628E5
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02166133 NtMapViewOfSection, 0_2_02166133
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216053B NtSetInformationThread, 0_2_0216053B
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162547 NtWriteVirtualMemory, 0_2_02162547
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216057F NtSetInformationThread, 0_2_0216057F
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216257C NtWriteVirtualMemory, 0_2_0216257C
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160560 NtSetInformationThread, 0_2_02160560
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216616A NtMapViewOfSection, 0_2_0216616A
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216619D NtMapViewOfSection, 0_2_0216619D
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216218C NtWriteVirtualMemory, 0_2_0216218C
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216058B NtSetInformationThread, 0_2_0216058B
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021625B4 NtWriteVirtualMemory, 0_2_021625B4
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021655A7 NtWriteVirtualMemory, 0_2_021655A7
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021661D8 NtMapViewOfSection, 0_2_021661D8
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021605F8 NtSetInformationThread, 0_2_021605F8
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021625EC NtWriteVirtualMemory, 0_2_021625EC
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021661EC NtMapViewOfSection, 0_2_021661EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251F4B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252BC0 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252BDA LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252BDA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252AB2 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,LoadLibraryA, 4_2_03252AB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251EEC TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251EEC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03255ADF LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk, 4_2_03255ADF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251F2E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251F07 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251F07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251F7C TerminateThread,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251F7C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252B54 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252B54
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252BA4 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251FA2 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251FA2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252BBC LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252BBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251FD3 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251FD3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03255A8C LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03255A8C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03255A92 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03255A92
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251E9B TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251E9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252D04 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_03252D04
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251D96 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251D96
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252C33 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252C33
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252003 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252003
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252C13 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252C13
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252C60 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252C7B LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252C7B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252CB4 LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk, 4_2_03252CB4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03252CCC LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03252CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F0646B NtProtectVirtualMemory, 11_2_00F0646B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F06048 NtProtectVirtualMemory, 11_2_00F06048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F05DFF NtProtectVirtualMemory, 11_2_00F05DFF
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_00401594 6_2_00401594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_1D9147A0 11_2_1D9147A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_1D914790 11_2_1D914790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_1D914773 11_2_1D914773
PE file contains strange resources
Source: dd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ota.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: asparagussens.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: dd.exe, 00000000.00000002.751462403.00000000020A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs dd.exe
Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitPOWbit vs dd.exe
Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitz vs dd.exe
Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit+ vs dd.exe
Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit vs dd.exe
Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitI vs dd.exe
Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit6 vs dd.exe
Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitT vs dd.exe
Source: dd.exe, 00000000.00000002.751006160.0000000000419000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMandfolkene7.exe vs dd.exe
Source: dd.exe Binary or memory string: OriginalFilenameMandfolkene7.exe vs dd.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: dd.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@10/3@3/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Afkodedes8 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\nxADcmgE
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Local\Temp\Lageradministrationernes5 Jump to behavior
Source: dd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dd.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dd.exe 'C:\Users\user\Desktop\dd.exe'
Source: C:\Users\user\Desktop\dd.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\dd.exe'
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: unknown Process created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Users\user\Desktop\dd.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\dd.exe' Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY
Source: Yara match File source: Process Memory Space: asparagussens.exe PID: 6004, type: MEMORY
Source: Yara match File source: Process Memory Space: asparagussens.exe PID: 1496, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: dd.exe PID: 7144, type: MEMORY
Source: Yara match File source: Process Memory Space: asparagussens.exe PID: 6004, type: MEMORY
Source: Yara match File source: Process Memory Space: asparagussens.exe PID: 1496, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03254B2C LoadLibraryA,GetProcAddress, 4_2_03254B2C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_02193E13 push eax; ret 6_2_02193E35
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021962CE push eax; ret 6_2_02196328
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021962F8 push eax; ret 6_2_02196328
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_02195B0B push ebp; retf 6_2_02195B22
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021933B3 push ss; ret 6_2_021933B5
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021903EC push eax; ret 6_2_021903ED
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_02193890 pushfd ; retf 6_2_021938D7
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021938BB pushfd ; retf 6_2_021938D7
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021938D8 pushfd ; retf 6_2_021938D7
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_02192CD8 push ecx; ret 6_2_02192CD9
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_0219396E pushfd ; retf 6_2_0219396F
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_02191967 pushfd ; retf 6_2_021919AB
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021959A8 push ebp; retf 6_2_02195B22
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021945D3 pushfd ; ret 6_2_021945EB
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021945F0 pushfd ; ret 6_2_021945EB
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021919EF pushfd ; retf 6_2_021919AB
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 6_2_021915E4 push ecx; ret 6_2_021915E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F040B1 push ecx; ret 11_2_00F04080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F0403E push ecx; ret 11_2_00F04080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F03F87 push ds; retf 11_2_00F03F9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_1D913838 push ds; ret 11_2_1D9137E7

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Local\Temp\ota.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Afkodedes8\asparagussens.exe Jump to dropped file

Boot Survival:

barindex
Creates multiple autostart registry keys
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021606D1 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA, 0_2_021606D1
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160798 TerminateProcess, 0_2_02160798
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021607B4 TerminateProcess, 0_2_021607B4
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160808 TerminateProcess, 0_2_02160808
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160836 TerminateProcess, 0_2_02160836
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160870 TerminateProcess, 0_2_02160870
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021608A8 TerminateProcess, 0_2_021608A8
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021608D8 TerminateProcess, 0_2_021608D8
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216090B TerminateProcess, 0_2_0216090B
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\dd.exe RDTSC instruction interceptor: First address: 000000000216124D second address: 000000000216124D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8128E2BBB8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test ebx, ecx 0x0000001f pop ecx 0x00000020 test ah, dh 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 jmp 00007F8128E2BBC2h 0x00000027 cmp dl, dl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8128E2BB89h 0x0000002e cmp ecx, ebx 0x00000030 push ecx 0x00000031 call 00007F8128E2BBF5h 0x00000036 call 00007F8128E2BBC8h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\dd.exe RDTSC instruction interceptor: First address: 00000000021605B3 second address: 00000000021605B3 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000003251545 second address: 0000000003251545 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002192D2B second address: 0000000002192D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8128D67C28h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F8128D67C32h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F8128D67BF6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007F8128D67C6Ah 0x00000039 call 00007F8128D67C38h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002192338 second address: 0000000002192338 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 00000000021925E9 second address: 00000000021925E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F01765 second address: 0000000000F01765 instructions:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Users\user\Desktop\dd.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\dd.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dd.exe, 00000000.00000002.751509325.0000000002160000.00000040.00000001.sdmp, ieinstal.exe, 00000004.00000002.935179958.0000000003251000.00000040.00000001.sdmp, RegAsm.exe, asparagussens.exe, 0000000F.00000002.948974883.00000000022F0000.00000040.00000001.sdmp, asparagussens.exe, 00000011.00000002.928559050.00000000020C0000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\dd.exe RDTSC instruction interceptor: First address: 000000000216124D second address: 000000000216124D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8128E2BBB8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test ebx, ecx 0x0000001f pop ecx 0x00000020 test ah, dh 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 jmp 00007F8128E2BBC2h 0x00000027 cmp dl, dl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8128E2BB89h 0x0000002e cmp ecx, ebx 0x00000030 push ecx 0x00000031 call 00007F8128E2BBF5h 0x00000036 call 00007F8128E2BBC8h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\dd.exe RDTSC instruction interceptor: First address: 00000000021613D8 second address: 00000000021613D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8128D6BC47h 0x0000001d popad 0x0000001e call 00007F8128D67C2Dh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\dd.exe RDTSC instruction interceptor: First address: 00000000021605B3 second address: 00000000021605B3 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 00000000032513D8 second address: 00000000032513D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8128D6BC47h 0x0000001d popad 0x0000001e call 00007F8128D67C2Dh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000003251545 second address: 0000000003251545 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002192D2B second address: 0000000002192D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8128D67C28h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F8128D67C32h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F8128D67BF6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007F8128D67C6Ah 0x00000039 call 00007F8128D67C38h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002192F18 second address: 0000000002192F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8128E2E293h 0x0000001d popad 0x0000001e call 00007F8128E2BC09h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002192338 second address: 0000000002192338 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 00000000021925E9 second address: 00000000021925E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F02F18 second address: 0000000000F02F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8128D6A303h 0x0000001d popad 0x0000001e call 00007F8128D67C79h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F01765 second address: 0000000000F01765 instructions:
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021606D1 rdtsc 0_2_021606D1
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Window / User API: threadDelayed 3820 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 3220 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 6492 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe API coverage: 7.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6912 Thread sleep count: 3820 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2896 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread sleep count: Count: 3820 delay: -5 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 0000000B.00000002.983678402.00000000205C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 0000000B.00000002.983678402.00000000205C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: dd.exe, 00000000.00000002.751509325.0000000002160000.00000040.00000001.sdmp, ieinstal.exe, 00000004.00000002.935179958.0000000003251000.00000040.00000001.sdmp, RegAsm.exe, asparagussens.exe, 0000000F.00000002.948974883.00000000022F0000.00000040.00000001.sdmp, asparagussens.exe, 00000011.00000002.928559050.00000000020C0000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 0000000B.00000002.983678402.00000000205C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 0000000B.00000002.983678402.00000000205C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021606D1 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000004 0_2_021606D1
Hides threads from debuggers
Source: C:\Users\user\Desktop\dd.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021606D1 rdtsc 0_2_021606D1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02162DAF LdrInitializeThunk, 0_2_02162DAF
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03254B2C LoadLibraryA,GetProcAddress, 4_2_03254B2C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02165612 mov eax, dword ptr fs:[00000030h] 0_2_02165612
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02161E06 mov eax, dword ptr fs:[00000030h] 0_2_02161E06
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216565B mov eax, dword ptr fs:[00000030h] 0_2_0216565B
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02164658 mov eax, dword ptr fs:[00000030h] 0_2_02164658
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02161E40 mov eax, dword ptr fs:[00000030h] 0_2_02161E40
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216164F mov eax, dword ptr fs:[00000030h] 0_2_0216164F
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02164668 mov eax, dword ptr fs:[00000030h] 0_2_02164668
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_0216568C mov eax, dword ptr fs:[00000030h] 0_2_0216568C
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02164707 mov eax, dword ptr fs:[00000030h] 0_2_02164707
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02164F70 mov eax, dword ptr fs:[00000030h] 0_2_02164F70
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02164F79 mov eax, dword ptr fs:[00000030h] 0_2_02164F79
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02161D96 mov eax, dword ptr fs:[00000030h] 0_2_02161D96
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021655B4 mov eax, dword ptr fs:[00000030h] 0_2_021655B4
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02161DB0 mov eax, dword ptr fs:[00000030h] 0_2_02161DB0
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021655A7 mov eax, dword ptr fs:[00000030h] 0_2_021655A7
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021629DC mov eax, dword ptr fs:[00000030h] 0_2_021629DC
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_021655CC mov eax, dword ptr fs:[00000030h] 0_2_021655CC
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02161DEB mov eax, dword ptr fs:[00000030h] 0_2_02161DEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03254707 mov eax, dword ptr fs:[00000030h] 4_2_03254707
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03254F70 mov eax, dword ptr fs:[00000030h] 4_2_03254F70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03254F79 mov eax, dword ptr fs:[00000030h] 4_2_03254F79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03255612 mov eax, dword ptr fs:[00000030h] 4_2_03255612
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03254668 mov eax, dword ptr fs:[00000030h] 4_2_03254668
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03254658 mov eax, dword ptr fs:[00000030h] 4_2_03254658
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0325565B mov eax, dword ptr fs:[00000030h] 4_2_0325565B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0325568C mov eax, dword ptr fs:[00000030h] 4_2_0325568C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_032555A7 mov eax, dword ptr fs:[00000030h] 4_2_032555A7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_032555B4 mov eax, dword ptr fs:[00000030h] 4_2_032555B4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_032555CC mov eax, dword ptr fs:[00000030h] 4_2_032555CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_032529D9 mov eax, dword ptr fs:[00000030h] 4_2_032529D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F048DC mov eax, dword ptr fs:[00000030h] 11_2_00F048DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F050B5 mov eax, dword ptr fs:[00000030h] 11_2_00F050B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F05BCB mov eax, dword ptr fs:[00000030h] 11_2_00F05BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00F05B66 mov eax, dword ptr fs:[00000030h] 11_2_00F05B66
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_03251F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_03251F4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\dd.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3250000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dd.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\dd.exe' Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
Source: ieinstal.exe, 00000004.00000002.935400818.0000000003AB0000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.934748300.0000000001710000.00000002.00000001.sdmp, asparagussens.exe, 0000000F.00000002.918107816.0000000000DE0000.00000002.00000001.sdmp, asparagussens.exe, 00000011.00000002.917567231.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 00000004.00000002.935400818.0000000003AB0000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.934748300.0000000001710000.00000002.00000001.sdmp, asparagussens.exe, 0000000F.00000002.918107816.0000000000DE0000.00000002.00000001.sdmp, asparagussens.exe, 00000011.00000002.917567231.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000004.00000002.935400818.0000000003AB0000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.934748300.0000000001710000.00000002.00000001.sdmp, asparagussens.exe, 0000000F.00000002.918107816.0000000000DE0000.00000002.00000001.sdmp, asparagussens.exe, 00000011.00000002.917567231.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: ieinstal.exe, 00000004.00000002.935400818.0000000003AB0000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.934748300.0000000001710000.00000002.00000001.sdmp, asparagussens.exe, 0000000F.00000002.918107816.0000000000DE0000.00000002.00000001.sdmp, asparagussens.exe, 00000011.00000002.917567231.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\dd.exe Code function: 0_2_02160A82 cpuid 0_2_02160A82
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 380091 Sample: dd.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 43 Potential malicious icon found 2->43 45 Antivirus detection for URL or domain 2->45 47 Yara detected GuLoader 2->47 49 5 other signatures 2->49 9 dd.exe 1 2->9         started        12 asparagussens.exe 2->12         started        14 asparagussens.exe 2->14         started        process3 signatures4 65 Contains functionality to detect hardware virtualization (CPUID execution measurement) 9->65 67 Writes to foreign memory regions 9->67 69 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->69 71 4 other signatures 9->71 16 ieinstal.exe 1 11 9->16         started        process5 dnsIp6 35 mariotessarollo.com 185.81.0.109, 443, 49748, 49769 SERVERPLAN-ASIT Italy 16->35 37 sogecoenergy.com 116.203.34.79, 443, 49745 HETZNER-ASDE Germany 16->37 39 2 other IPs or domains 16->39 31 C:\Users\user\AppData\Local\Temp\ota.exe, PE32 16->31 dropped 51 Creates multiple autostart registry keys 16->51 53 Tries to detect Any.run 16->53 55 Hides threads from debuggers 16->55 21 ota.exe 1 16->21         started        file7 signatures8 process9 signatures10 57 Writes to foreign memory regions 21->57 59 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 21->59 61 Tries to detect Any.run 21->61 63 2 other signatures 21->63 24 RegAsm.exe 1 11 21->24         started        process11 dnsIp12 41 mariotessarollo.com 24->41 33 C:\Users\user\Afkodedes8\asparagussens.exe, PE32 24->33 dropped 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->75 77 Creates multiple autostart registry keys 24->77 79 4 other signatures 24->79 29 conhost.exe 24->29         started        file13 signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
116.203.34.79
sogecoenergy.com Germany
24940 HETZNER-ASDE false
185.81.0.109
mariotessarollo.com Italy
52030 SERVERPLAN-ASIT false
79.134.225.109
unknown Switzerland
6775 FINK-TELECOM-SERVICESCH false

Contacted Domains

Name IP Active
sogecoenergy.com 116.203.34.79 true
mariotessarollo.com 185.81.0.109 true
www.sogecoenergy.com unknown unknown