Loading ...

Play interactive tourEdit tour

Analysis Report yiu0bguw4d

Overview

General Information

Sample Name:yiu0bguw4d (renamed file extension from none to exe)
Analysis ID:395374
MD5:d5b8e2ce449917bf395454082de6cba9
SHA1:fe872c03ceef39422218003bc5a34be4faf47e55
SHA256:981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • yiu0bguw4d.exe (PID: 204 cmdline: 'C:\Users\user\Desktop\yiu0bguw4d.exe' MD5: D5B8E2CE449917BF395454082DE6CBA9)
    • RegAsm.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\yiu0bguw4d.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1dMb_B0qeMj8gz7LWqIfB7I-0h8qhomgl", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.494899061.0000000000A00000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: RegAsm.exe PID: 6304JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000B.00000002.494899061.0000000000A00000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1dMb_B0qeMj8gz7LWqIfB7I-0h8qhomgl", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: yiu0bguw4d.exeVirustotal: Detection: 62%Perma Link
      Source: yiu0bguw4d.exeMetadefender: Detection: 23%Perma Link
      Source: yiu0bguw4d.exeReversingLabs: Detection: 79%
      Source: yiu0bguw4d.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1dMb_B0qeMj8gz7LWqIfB7I-0h8qhomgl
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A08293 NtSetInformationThread,InternetReadFile,11_2_00A08293
      Source: RegAsm.exe, 0000000B.00000002.494807811.00000000007BA000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1dMb_B0qeMj8gz7L
      Source: RegAsm.exe, 0000000B.00000002.494899061.0000000000A00000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1dMb_B0qeMj8gz7LWqIfB7I-0h8qhomgl
      Source: yiu0bguw4d.exe, 00000000.00000002.477090048.000000000074A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess Stats: CPU usage > 98%
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A08293 NtSetInformationThread,InternetReadFile,11_2_00A08293
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A0446B NtSetInformationThread,InternetOpenA,InternetOpenUrlA,11_2_00A0446B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A007EC EnumWindows,NtSetInformationThread,11_2_00A007EC
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A00AD7 NtSetInformationThread,11_2_00A00AD7
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A07CCA NtProtectVirtualMemory,11_2_00A07CCA
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A081F1 NtProtectVirtualMemory,11_2_00A081F1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A008C1 NtSetInformationThread,11_2_00A008C1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A0087A NtSetInformationThread,11_2_00A0087A
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeCode function: String function: 0040172E appears 35 times
      Source: yiu0bguw4d.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: yiu0bguw4d.exe, 00000000.00000002.476080679.000000000042A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUruguayanernes5.exe vs yiu0bguw4d.exe
      Source: yiu0bguw4d.exe, 00000000.00000002.477199626.00000000021D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUruguayanernes5.exeFE2X vs yiu0bguw4d.exe
      Source: yiu0bguw4d.exe, 00000000.00000002.477199626.00000000021D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUruguayanernes5.exeFE2X. vs yiu0bguw4d.exe
      Source: yiu0bguw4d.exe, 00000000.00000002.477199626.00000000021D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUruguayanernes5.exeFE2Xm vs yiu0bguw4d.exe
      Source: yiu0bguw4d.exe, 00000000.00000002.477199626.00000000021D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUruguayanernes5.exeFE2X" vs yiu0bguw4d.exe
      Source: yiu0bguw4d.exe, 00000000.00000002.477037263.00000000005F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs yiu0bguw4d.exe
      Source: yiu0bguw4d.exeBinary or memory string: OriginalFilenameUruguayanernes5.exe vs yiu0bguw4d.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: yiu0bguw4d.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@3/0@0/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
      Source: yiu0bguw4d.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: yiu0bguw4d.exeVirustotal: Detection: 62%
      Source: yiu0bguw4d.exeMetadefender: Detection: 23%
      Source: yiu0bguw4d.exeReversingLabs: Detection: 79%
      Source: unknownProcess created: C:\Users\user\Desktop\yiu0bguw4d.exe 'C:\Users\user\Desktop\yiu0bguw4d.exe'
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\yiu0bguw4d.exe'
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: Window RecorderWindow detected: More than 3 window changes detected

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 0000000B.00000002.494899061.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6304, type: MEMORY
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeCode function: 0_2_0040AC62 push ebp; retf 0_2_0040AC6A
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeCode function: 0_2_0040841A push esp; retf 0_2_00408424
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeCode function: 0_2_0040BDD1 push esp; retf 0_2_0040BDD8
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeCode function: 0_2_00406DEE push es; ret 0_2_00406E09
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeCode function: 0_2_0040C20F pushad ; retf 0_2_0040C210
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeCode function: 0_2_0040BFD7 pushad ; ret 0_2_0040BFD8
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeCode function: 0_2_0040A3EB push edx; iretd 0_2_0040A3FB
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A062F5 push ss; ret 11_2_00A062FC
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A05433 push ebx; retf 11_2_00A05434
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A020CD 11_2_00A020CD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A02141 11_2_00A02141
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A01EB9 11_2_00A01EB9
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A01E78 11_2_00A01E78
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A01FFD 11_2_00A01FFD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A01F55 11_2_00A01F55
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000500B36 second address: 0000000000500B36 instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000504A9D second address: 0000000000504A9D instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000500D33 second address: 0000000000500D33 instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 00000000005086E7 second address: 00000000005086E7 instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 00000000005087CE second address: 00000000005087CE instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000502FC8 second address: 0000000000502FC8 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: yiu0bguw4d.exe, 00000000.00000002.477100378.0000000000761000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEE
      Source: yiu0bguw4d.exe, 00000000.00000002.477100378.0000000000761000.00000004.00000020.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEEN
      Source: RegAsm.exe, 0000000B.00000002.494899061.0000000000A00000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000507871 second address: 00000000005078A6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test eax, ecx 0x0000000d mov eax, dword ptr [esp+18h] 0x00000011 test bl, dl 0x00000013 mov byte ptr [eax], FFFFFF90h 0x00000016 test edx, eax 0x00000018 cmp ax, bx 0x0000001b mov eax, dword ptr [esp+1Ch] 0x0000001f mov byte ptr [eax], 0000006Ah 0x00000022 mov byte ptr [eax+01h], 00000000h 0x00000026 mov byte ptr [eax+02h], FFFFFFB8h 0x0000002a mov edx, dword ptr [ebp+0000013Ch] 0x00000030 nop 0x00000031 pushad 0x00000032 lfence 0x00000035 rdtsc
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000500B36 second address: 0000000000500B36 instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000504A9D second address: 0000000000504A9D instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000500D33 second address: 0000000000500D33 instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 00000000005086E7 second address: 00000000005086E7 instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 00000000005087CE second address: 00000000005087CE instructions:
      Source: C:\Users\user\Desktop\yiu0bguw4d.exeRDTSC instruction interceptor: First address: 0000000000502FC8 second address: 0000000000502FC8 instructions:
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000A07871 second address: 0000000000A078A6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test eax, ecx 0x0000000d mov eax, dword ptr [esp+18h] 0x00000011 test bl, dl 0x00000013 mov byte ptr [eax], FFFFFF90h 0x00000016 test edx, eax 0x00000018 cmp ax, bx 0x0000001b mov eax, dword ptr [esp+1Ch] 0x0000001f mov byte ptr [eax], 0000006Ah 0x00000022 mov byte ptr [eax+01h], 00000000h 0x00000026 mov byte ptr [eax+02h], FFFFFFB8h 0x0000002a mov edx, dword ptr [ebp+0000013Ch] 0x00000030 nop 0x00000031 pushad 0x00000032 lfence 0x00000035 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A01457 rdtsc 11_2_00A01457
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6308Thread sleep time: -1810000s >= -30000sJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: yiu0bguw4d.exe, 00000000.00000002.477100378.0000000000761000.00000004.00000020.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeen
      Source: yiu0bguw4d.exe, 00000000.00000002.477100378.0000000000761000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exee
      Source: RegAsm.exe, 0000000B.00000002.494899061.0000000000A00000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A08293 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000000011_2_00A08293
      Hides threads from debuggersShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A01457 rdtsc 11_2_00A01457
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A04CF1 LdrInitializeThunk,11_2_00A04CF1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A027EC mov eax, dword ptr fs:[00000030h]11_2_00A027EC
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A0672D mov eax, dword ptr fs:[00000030h]11_2_00A0672D
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A0773F mov eax, dword ptr fs:[00000030h]11_2_00A0773F
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A02889 mov eax, dword ptr fs:[00000030h]11_2_00A02889
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A03977 mov eax, dword ptr fs:[00000030h]11_2_00A03977
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A06D85 mov eax, dword ptr fs:[00000030h]11_2_00A06D85
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A01E78 mov eax, dword ptr fs:[00000030h]11_2_00A01E78
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: RegAsm.exe, 0000000B.00000002.495859788.0000000001220000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegAsm.exe, 0000000B.00000002.495859788.0000000001220000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RegAsm.exe, 0000000B.00000002.495859788.0000000001220000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: RegAsm.exe, 0000000B.00000002.495859788.0000000001220000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: RegAsm.exe, 0000000B.00000002.495859788.0000000001220000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00A0087A cpuid 11_2_00A0087A

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection2Virtualization/Sandbox Evasion22Input Capture1Security Software Discovery721Remote ServicesInput Capture1Exfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection2LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.