Windows Analysis Report Inv 0110617985 PO Wartsila quantiparts B.V..exe

Overview

General Information

Sample Name:	Inv 0110617985 PO Wartsila quantiparts B.V..exe
Analysis ID:	458946
MD5:	5c9c7f90ae087c40601f5d6bd85cadb7
SHA1:	15a76b5c5d5ee677f33b76a8371054821c6f6522
SHA256:	2e4901e09f9e7e72b65f301113d5bb075576e02fee03eb8414a986a1cca63cbb
Tags:	exenull
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "samy@cairoshippinginternational.com", "Password": "NermoSamy@2006+", "Host": "mail.cairoshippinginternational.com"}

Multi AV Scanner detection for submitted file

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Virustotal: Detection: 71%	Perma Link
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Metadefender: Detection: 40%	Perma Link
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	ReversingLabs: Detection: 85%

Machine Learning detection for sample

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49756 -> 99.198.101.234:587

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: http://kgXKqA.com
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: https://2ldxNK2U0Dyorw0.org
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_013755A0	6_2_013755A0
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_0137B864	6_2_0137B864
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_01373378	6_2_01373378
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_01370EA8	6_2_01370EA8
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_0137B468	6_2_0137B468
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_0137C7F8	6_2_0137C7F8
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_01372E38	6_2_01372E38
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_015709C8	6_2_015709C8
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017BD160	6_2_017BD160
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017B8B18	6_2_017B8B18
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017B1F88	6_2_017B1F88
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017B538C	6_2_017B538C
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017B8649	6_2_017B8649
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D47A0	6_2_031D47A0
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D5471	6_2_031D5471
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D3CCC	6_2_031D3CCC
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D4710	6_2_031D4710
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D46B0	6_2_031D46B0
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D46D0	6_2_031D46D0
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031DD661	6_2_031DD661

PE file contains strange resources

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000001.00000000.216013415.0000000000E14000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameITypeLibImporterNotifySi.exe4 vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameXVLIKsxArMXXshQXbZxL.exe4 vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.484976552.000000000158A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.483740101.0000000000F34000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameITypeLibImporterNotifySi.exe4 vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485371021.0000000001790000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Binary or memory string: OriginalFilenameITypeLibImporterNotifySi.exe4 vs Inv 0110617985 PO Wartsila quantiparts B.V..exe

Uses 32bit PE files

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inv 0110617985 PO Wartsila quantiparts B.V..exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Mutant created: \Sessions\1\BaseNamedObjects\flBuYYWkaCCoZhEJXJlsLfIks

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Virustotal: Detection: 71%
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Metadefender: Detection: 40%
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	ReversingLabs: Detection: 85%

Source: unknown	Process created: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe 'C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe'
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process created: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process created: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static file information: File size 1315328 > 1048576

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x110600

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: initial sample

Static PE information: section name: .text entropy: 7.71885600168

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File created: \inv 0110617985 po wartsila quantiparts b.v..exe
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File created: \inv 0110617985 po wartsila quantiparts b.v..exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Window / User API: threadDelayed 2225			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Window / User API: threadDelayed 7542			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5896	Thread sleep time: -38747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5444	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5444	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5872	Thread sleep count: 2225 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5872	Thread sleep count: 7542 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5444	Thread sleep count: 39 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 38747	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Code function: 6_2_01374A78 LdrInitializeThunk,

6_2_01374A78

Enables debug privileges

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Process created: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Jump to behavior

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485749282.0000000001C40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485749282.0000000001C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485749282.0000000001C40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485749282.0000000001C40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inv 0110617985 PO Wartsila quantiparts B.V..exe PID: 4472, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inv 0110617985 PO Wartsila quantiparts B.V..exe PID: 4472, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inv 0110617985 PO Wartsila quantiparts B.V..exe PID: 4472, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "samy@cairoshippinginternational.com", "Password": "NermoSamy@2006+", "Host": "mail.cairoshippinginternational.com"}

Multi AV Scanner detection for submitted file

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Virustotal: Detection: 71%	Perma Link
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Metadefender: Detection: 40%	Perma Link
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	ReversingLabs: Detection: 85%

Machine Learning detection for sample

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49756 -> 99.198.101.234:587

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: http://kgXKqA.com
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: https://2ldxNK2U0Dyorw0.org
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_013755A0	6_2_013755A0
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_0137B864	6_2_0137B864
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_01373378	6_2_01373378
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_01370EA8	6_2_01370EA8
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_0137B468	6_2_0137B468
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_0137C7F8	6_2_0137C7F8
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_01372E38	6_2_01372E38
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_015709C8	6_2_015709C8
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017BD160	6_2_017BD160
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017B8B18	6_2_017B8B18
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017B1F88	6_2_017B1F88
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017B538C	6_2_017B538C
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_017B8649	6_2_017B8649
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D47A0	6_2_031D47A0
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D5471	6_2_031D5471
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D3CCC	6_2_031D3CCC
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D4710	6_2_031D4710
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D46B0	6_2_031D46B0
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031D46D0	6_2_031D46D0
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Code function: 6_2_031DD661	6_2_031DD661

PE file contains strange resources

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000001.00000000.216013415.0000000000E14000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameITypeLibImporterNotifySi.exe4 vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameXVLIKsxArMXXshQXbZxL.exe4 vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.484976552.000000000158A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.483740101.0000000000F34000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameITypeLibImporterNotifySi.exe4 vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485371021.0000000001790000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Binary or memory string: OriginalFilenameITypeLibImporterNotifySi.exe4 vs Inv 0110617985 PO Wartsila quantiparts B.V..exe

Uses 32bit PE files

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inv 0110617985 PO Wartsila quantiparts B.V..exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Mutant created: \Sessions\1\BaseNamedObjects\flBuYYWkaCCoZhEJXJlsLfIks

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Virustotal: Detection: 71%
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	Metadefender: Detection: 40%
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe	ReversingLabs: Detection: 85%

Source: unknown	Process created: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe 'C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe'
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process created: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process created: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static file information: File size 1315328 > 1048576

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x110600

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: initial sample

Static PE information: section name: .text entropy: 7.71885600168

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File created: \inv 0110617985 po wartsila quantiparts b.v..exe
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File created: \inv 0110617985 po wartsila quantiparts b.v..exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Window / User API: threadDelayed 2225			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Window / User API: threadDelayed 7542			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5896	Thread sleep time: -38747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5444	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5444	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5872	Thread sleep count: 2225 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5872	Thread sleep count: 7542 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe TID: 5444	Thread sleep count: 39 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 38747	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.491090167.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Code function: 6_2_01374A78 LdrInitializeThunk,

6_2_01374A78

Enables debug privileges

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Process created: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Jump to behavior

Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485749282.0000000001C40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485749282.0000000001C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485749282.0000000001C40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Inv 0110617985 PO Wartsila quantiparts B.V..exe, 00000006.00000002.485749282.0000000001C40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inv 0110617985 PO Wartsila quantiparts B.V..exe PID: 4472, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Inv 0110617985 PO Wartsila quantiparts B.V..exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inv 0110617985 PO Wartsila quantiparts B.V..exe PID: 4472, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 6.2.Inv 0110617985 PO Wartsila quantiparts B.V..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.483047618.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.485981746.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inv 0110617985 PO Wartsila quantiparts B.V..exe PID: 4472, type: MEMORYSTR

ID:	458946
Product:	CloudBasic
Start time:	22:20:22
Start date:	03.08.2021
Sample:	Inv 0110617985 PO Wartsila quantiparts B.V..exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5c9c7f90ae087c40601f5d6bd85cadb7
SHA1:	15a76b5c5d5ee677f33b76a8371054821c6f6522
SHA256:	2e4901e09f9e7e72b65f301113d5bb075576e02fee03eb8414a986a1cca63cbb
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report Inv 0110617985 PO Wartsila quantiparts B.V..exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map