Analysis Report commercial invoice & packing list doc.exe

Overview

General Information

Sample Name: commercial invoice & packing list doc.exe
Analysis ID: 385429
MD5: 2667a1cdb6366d10ec70d683f453f91e
SHA1: 0710ee8085ec7632a8ff0e8bee5bd1f51c86e1c2
SHA256: dac12ddb5513221e7c64383f8fba0ab66ae876ecad1af0c5e3acc4905327c77e
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected FrenchyShellcode packer
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected AgentTesla
Binary is likely a compiled AutoIt script file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: commercial invoice & packing list doc.exe Avira: detected
Found malware configuration
Source: RegAsm.exe.7056.3.memstr Malware Configuration Extractor: Agenttesla {"Username: ": " JjuvVpvh9", "URL: ": "", "To: ": "", "ByHost: ": "mail.rajalakshmi.co.in:587", "Password: ": " kGYYNpS", "From: ": ""}
Multi AV Scanner detection for submitted file
Source: commercial invoice & packing list doc.exe Virustotal: Detection: 62% Perma Link
Source: commercial invoice & packing list doc.exe ReversingLabs: Detection: 55%
Machine Learning detection for sample
Source: commercial invoice & packing list doc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.commercial invoice & packing list doc.exe.960000.0.unpack Avira: Label: DR/AutoIt.Gen8
Source: 3.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: 1.2.commercial invoice & packing list doc.exe.960000.0.unpack Avira: Label: DR/AutoIt.Gen8
Source: 1.2.commercial invoice & packing list doc.exe.3f30000.1.unpack Avira: Label: TR/Spy.Agent.lkofd

Compliance:

barindex
Uses 32bit PE files
Source: commercial invoice & packing list doc.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: commercial invoice & packing list doc.exe, 00000001.00000003.662372874.000000000699B000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.907969348.0000000000402000.00000040.00000001.sdmp
Source: Binary string: RegAsm.pdb source: NewApp.exe, NewApp.exe.3.dr
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000003.00000002.911518271.0000000005F70000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_009C449B GetFileAttributesW,FindFirstFileW,FindClose, 1_2_009C449B

Networking:

barindex
May check the online IP address of the machine
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe DNS query: name: checkip.amazonaws.com
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe DNS query: name: checkip.amazonaws.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 43.225.55.205:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.20.197.7 52.20.197.7
Source: Joe Sandbox View IP Address: 43.225.55.205 43.225.55.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 43.225.55.205:587
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_0120A09A recv, 3_2_0120A09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: clientconfig.passport.net
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.com
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.com/
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.comx&
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpCIDLMEM
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/H
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp0$
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpCLMEMhP
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/H
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/H
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/done8
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/done8H
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/set
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/setH
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phpH
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/median
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.phpH
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.910168185.0000000003582000.00000004.00000001.sdmp String found in binary or memory: https://l90hgR8iBkELJfm8.org
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://ogs.google.com/widget/callout
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://ogs.google.com/widget/calloutH
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/?
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/?gws_rd=sslNeLMEMh
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/?gws_rd=sslh
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/?gws_rd=sslv
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/H
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/H
Source: RegAsm.exe, 00000003.00000002.908505372.00000000012CB000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/INELMEMx
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.908491111.00000000012C0000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlH
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/search
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/searchBd9
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/searchH
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/url
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: RegAsm.exe, 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/urlH

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Jump to behavior
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00962344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 1_2_00962344
Creates a DirectInput object (often for capturing keystrokes)
Source: NewApp.exe, 00000009.00000002.724047226.0000000000E68000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_009ECB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_009ECB26

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.909325543.0000000003350000.00000004.00000001.sdmp, type: MEMORY Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORY Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.909325543.0000000003350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORY
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: This is a third-party compiled AutoIt script. 1_2_00963B4C
Source: commercial invoice & packing list doc.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: commercial invoice & packing list doc.exe, 00000001.00000002.665938588.0000000000A14000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: commercial invoice & packing list doc.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: commercial invoice & packing list doc.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: commercial invoice & packing list doc.exe
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05D40472 NtQuerySystemInformation, 3_2_05D40472
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05D40441 NtQuerySystemInformation, 3_2_05D40441
Detected potential crypto function
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_0096E800 1_2_0096E800
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_0096FE40 1_2_0096FE40
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_009770FE 1_2_009770FE
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00976841 1_2_00976841
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_0096E060 1_2_0096E060
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00978968 1_2_00978968
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00961287 1_2_00961287
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_0098DAF5 1_2_0098DAF5
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00996452 1_2_00996452
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_009E7E0D 1_2_009E7E0D
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00981604 1_2_00981604
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00996F36 1_2_00996F36
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_0098BF26 1_2_0098BF26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05672928 3_2_05672928
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_056789DA 3_2_056789DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05670C38 3_2_05670C38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05671810 3_2_05671810
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05670726 3_2_05670726
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05673D40 3_2_05673D40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676D4A 3_2_05676D4A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05672918 3_2_05672918
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676DAD 3_2_05676DAD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05675DBC 3_2_05675DBC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676C57 3_2_05676C57
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05674428 3_2_05674428
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676C00 3_2_05676C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676CAE 3_2_05676CAE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05675B7F 3_2_05675B7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05678348 3_2_05678348
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676B52 3_2_05676B52
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_0567671B 3_2_0567671B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_056717FF 3_2_056717FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05673BDE 3_2_05673BDE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05675FA5 3_2_05675FA5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676BA9 3_2_05676BA9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05673B80 3_2_05673B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05670B80 3_2_05670B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_0567725D 3_2_0567725D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05671E2A 3_2_05671E2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676E04 3_2_05676E04
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05671EEA 3_2_05671EEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05676A85 3_2_05676A85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FDE5D8 3_2_05FDE5D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FDA520 3_2_05FDA520
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FDD870 3_2_05FDD870
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FDB870 3_2_05FDB870
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD4C4E 3_2_05FD4C4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD8C3D 3_2_05FD8C3D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD9BE8 3_2_05FD9BE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD6BB8 3_2_05FD6BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD47A0 3_2_05FD47A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD7268 3_2_05FD7268
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD51F6 3_2_05FD51F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FDADA8 3_2_05FDADA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD4D6F 3_2_05FD4D6F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD4166 3_2_05FD4166
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD40D3 3_2_05FD40D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FDA89F 3_2_05FDA89F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD4C4E 3_2_05FD4C4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD406B 3_2_05FD406B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD3F98 3_2_05FD3F98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD478B 3_2_05FD478B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD7259 3_2_05FD7259
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD4E22 3_2_05FD4E22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD4E14 3_2_05FD4E14
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06370C38 3_2_06370C38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06370070 3_2_06370070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06371278 3_2_06371278
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06373C40 3_2_06373C40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06372090 3_2_06372090
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06370898 3_2_06370898
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_0637373A 3_2_0637373A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_063759BF 3_2_063759BF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06374BA0 3_2_06374BA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06375180 3_2_06375180
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06373C30 3_2_06373C30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06370C29 3_2_06370C29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06370006 3_2_06370006
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06371268 3_2_06371268
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06373EB8 3_2_06373EB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06372080 3_2_06372080
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06370888 3_2_06370888
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06375171 3_2_06375171
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06374D7A 3_2_06374D7A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06373F92 3_2_06373F92
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06374B90 3_2_06374B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06373D9A 3_2_06373D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_0637559A 3_2_0637559A
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 9_2_050101B7 9_2_050101B7
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 14_2_054501B7 14_2_054501B7
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
PE file contains strange resources
Source: commercial invoice & packing list doc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: commercial invoice & packing list doc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: commercial invoice & packing list doc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: commercial invoice & packing list doc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: commercial invoice & packing list doc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: commercial invoice & packing list doc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: commercial invoice & packing list doc.exe, 00000001.00000002.667596889.0000000003F86000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameSHXMPSVEEZGECDVRWEFZPHZMUMSQVYGIYVQRGLKQ_20191015102905735.exe4 vs commercial invoice & packing list doc.exe
Source: commercial invoice & packing list doc.exe, 00000001.00000003.662372874.000000000699B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameIELibrary.dll4 vs commercial invoice & packing list doc.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: security.dll Jump to behavior
Uses 32bit PE files
Source: commercial invoice & packing list doc.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Yara signature match
Source: 00000003.00000002.909325543.0000000003350000.00000004.00000001.sdmp, type: MEMORY Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORY Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: 3.2.RegAsm.exe.3440a48.2.raw.unpack, type: UNPACKEDPE Matched rule: IMPLANT_8_v1 date = 2017-02-10, author = US CERT, description = HAMMERTOSS / HammerDuke Implant by APT29, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/4@3/3
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_009CA0F4 GetLastError,FormatMessageW, 1_2_009CA0F4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05D402F6 AdjustTokenPrivileges, 3_2_05D402F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05D402BF AdjustTokenPrivileges, 3_2_05D402BF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05D409E2 GetDiskFreeSpaceExW, 3_2_05D409E2
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_009C3C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 1_2_009C3C99
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00964FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 1_2_00964FE9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\AppData\Roaming\NewApp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4492:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
Source: commercial invoice & packing list doc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: commercial invoice & packing list doc.exe Virustotal: Detection: 62%
Source: commercial invoice & packing list doc.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe File read: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\commercial invoice & packing list doc.exe 'C:\Users\user\Desktop\commercial invoice & packing list doc.exe'
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: commercial invoice & packing list doc.exe Static file information: File size 1502720 > 1048576
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: commercial invoice & packing list doc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: commercial invoice & packing list doc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: commercial invoice & packing list doc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: commercial invoice & packing list doc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: commercial invoice & packing list doc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: commercial invoice & packing list doc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: commercial invoice & packing list doc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: commercial invoice & packing list doc.exe, 00000001.00000003.662372874.000000000699B000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.907969348.0000000000402000.00000040.00000001.sdmp
Source: Binary string: RegAsm.pdb source: NewApp.exe, NewApp.exe.3.dr
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000003.00000002.911518271.0000000005F70000.00000002.00000001.sdmp
Source: commercial invoice & packing list doc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: commercial invoice & packing list doc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: commercial invoice & packing list doc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: commercial invoice & packing list doc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: commercial invoice & packing list doc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00964C95 LoadLibraryA,GetProcAddress, 1_2_00964C95
PE file contains an invalid checksum
Source: commercial invoice & packing list doc.exe Static PE information: real checksum: 0xcfeb9 should be: 0x17bce9
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00988AC5 push ecx; ret 1_2_00988AD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_056735C8 push 8B042820h; iretd 3_2_056735CD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_056740D8 push 8B506C25h; iretd 3_2_056740DD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05674266 push cs; ret 3_2_0567426F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD3C84 push FFFFFFFBh; ret 3_2_05FD3C9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD074A push edi; iretd 3_2_05FD074B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05FD3A90 push esp; ret 3_2_05FD3A9C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06376E6A push es; retf 3_2_06376ED8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06376F0E push es; iretd 3_2_06376F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_06376F61 push es; retf 3_2_06376FA0

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe File created: \commercial invoice & packing list doc.exe
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe File created: \commercial invoice & packing list doc.exe Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewApp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewApp Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Detected FrenchyShellcode packer
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Mutex created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_005 Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00964A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_00964A35
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4552 Thread sleep count: 79 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4552 Thread sleep time: -39500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6552 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_009C449B GetFileAttributesW,FindFirstFileW,FindClose, 1_2_009C449B
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00964AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 1_2_00964AFE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000003.00000002.911120466.0000000005980000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000003.00000002.911120466.0000000005980000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000003.00000002.911120466.0000000005980000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000003.00000002.908561470.0000000001328000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 00000003.00000002.911120466.0000000005980000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 3_2_05675B4F LdrInitializeThunk, 3_2_05675B4F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00963B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 1_2_00963B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00995BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_00995BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00964C95 LoadLibraryA,GetProcAddress, 1_2_00964C95
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00999922 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_00999922
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_0098A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0098A2D5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00963B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 1_2_00963B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00964A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_00964A35
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_009C4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 1_2_009C4A08
Source: commercial invoice & packing list doc.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000003.00000002.908765728.00000000018B0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: commercial invoice & packing list doc.exe, RegAsm.exe, 00000003.00000002.908765728.00000000018B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000003.00000002.908765728.00000000018B0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000003.00000002.908765728.00000000018B0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00995007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00995007
Source: C:\Users\user\Desktop\commercial invoice & packing list doc.exe Code function: 1_2_00964AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 1_2_00964AFE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000003.662372874.000000000699B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.907969348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662495096.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.667539052.0000000003F32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.660899970.0000000004015000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662541463.000000000650E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662324671.000000000657B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662087323.0000000005C9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.664743766.0000000004341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORY
Source: Yara match File source: Process Memory Space: commercial invoice & packing list doc.exe PID: 6920, type: MEMORY
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.65baf84.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.654db7c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.69daf8c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.commercial invoice & packing list doc.exe.3f30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.4054b84.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.5cdab7c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.442974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.4380b7c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.3fe0bbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.commercial invoice & packing list doc.exe.3f72974.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.3440a48.2.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORY
Source: Yara match File source: 3.2.RegAsm.exe.3440a48.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000003.662372874.000000000699B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.907969348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662495096.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.667539052.0000000003F32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.909804266.00000000033B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.660899970.0000000004015000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662541463.000000000650E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662324671.000000000657B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662087323.0000000005C9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.664743766.0000000004341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORY
Source: Yara match File source: Process Memory Space: commercial invoice & packing list doc.exe PID: 6920, type: MEMORY
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.65baf84.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.654db7c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.69daf8c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.commercial invoice & packing list doc.exe.3f30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.4054b84.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.5cdab7c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.442974.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.4380b7c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.commercial invoice & packing list doc.exe.3fe0bbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.commercial invoice & packing list doc.exe.3f72974.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.3440a48.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385429 Sample: commercial invoice & packin... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 25 clientconfig.passport.net 2->25 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 7 other signatures 2->47 7 commercial invoice & packing list doc.exe 2->7         started        10 NewApp.exe 4 2->10         started        12 NewApp.exe 3 2->12         started        signatures3 process4 signatures5 49 Detected FrenchyShellcode packer 7->49 51 Maps a DLL or memory area into another process 7->51 14 RegAsm.exe 17 18 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 27 rajalakshmi.co.in 43.225.55.205, 49733, 49767, 587 PUBLIC-DOMAIN-REGISTRYUS United Arab Emirates 14->27 29 mail.rajalakshmi.co.in 14->29 31 4 other IPs or domains 14->31 23 C:\Users\user\AppData\Roaming\...23ewApp.exe, PE32 14->23 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 May check the online IP address of the machine 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 5 other signatures 14->39 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.20.197.7
 checkip.us-east-1.prod.check-ip.aws.a2z.com United States
14618 AMAZON-AESUS false
43.225.55.205
 rajalakshmi.co.in United Arab Emirates
394695 PUBLIC-DOMAIN-REGISTRYUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
rajalakshmi.co.in 43.225.55.205 true
checkip.us-east-1.prod.check-ip.aws.a2z.com 52.20.197.7 true
mail.rajalakshmi.co.in unknown unknown
checkip.amazonaws.com unknown unknown
clientconfig.passport.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.amazonaws.com/ false
    		high