Windows Analysis Report Statement of Account.exe

Overview

General Information

Sample Name: Statement of Account.exe
Analysis ID: 1637
MD5: 0fb63e5eb6af1aff086e3c2a2321f716
SHA1: 5e7e1db40c9104297c3b05b26c97a788eb92401b
SHA256: 0b65815d462586870177898072a1500ec014a390eb466ea0dd716567ada4109a
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Abnormal high CPU Usage
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Statement of Account.exe Virustotal: Detection: 21% Perma Link
Source: Statement of Account.exe ReversingLabs: Detection: 23%
Multi AV Scanner detection for domain / URL
Source: https://freegeoip.app/xml/ Virustotal: Detection: 5% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A09E00 CryptUnprotectData, 24_2_00A09E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0A51B CryptUnprotectData, 24_2_00A0A51B

Compliance:

barindex
Uses 32bit PE files
Source: Statement of Account.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.11.20:49760 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49758 version: TLS 1.2

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0CF6Fh 24_2_00A0CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0FADFh 24_2_00A0F838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0C6BFh 24_2_00A0C418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0CB17h 24_2_00A0C870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0DC77h 24_2_00A0D9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0D3C7h 24_2_00A0D120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0D81Fh 24_2_00A0D578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0E527h 24_2_00A0E280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0E97Fh 24_2_00A0E6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0E0CFh 24_2_00A0DE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0F22Fh 24_2_00A0EF88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0F687h 24_2_00A0F3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00A0EDD7h 24_2_00A0EB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov esp, ebp 24_2_00A0C180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov esp, ebp 24_2_00A0C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABF0AFh 24_2_1DABEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABD831h 24_2_1DABCE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABE258h 24_2_1DABDE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABEC4Fh 24_2_1DABE990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABDC91h 24_2_1DABD9D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABFDCFh 24_2_1DABFB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABF96Fh 24_2_1DABF6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABF50Fh 24_2_1DABF252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABE258h 24_2_1DABDE31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 24_2_1DABC99B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 24_2_1DABCB7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 1DABE258h 24_2_1DABE186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 24_2_1DABC368

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/102.129.143.96 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.19.200 104.21.19.200
Source: Joe Sandbox View IP Address: 104.21.19.200 104.21.19.200
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.11.20:49760 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3ec96pm2v8cjj8osvev6ltnouevou20i/1634121375000/08714151441044389622/*/1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-4k-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: RegAsm.exe, 00000018.00000002.6271466911.000000001DD7C000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000018.00000002.6271305242.000000001DD70000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000018.00000002.6269476123.000000001DCC1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000018.00000002.6271691821.000000001DD9D000.00000004.00000001.sdmp String found in binary or memory: http://freegeoip.app
Source: UserOOBEBroker.exe, 00000021.00000002.6244747221.0000017B93A90000.00000002.00020000.sdmp String found in binary or memory: http://schemas.microso
Source: RegAsm.exe, 00000018.00000002.6269476123.000000001DCC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000003.2090010661.0000000001095000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6250601315.0000000001008000.00000004.00000020.sdmp String found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/
Source: RegAsm.exe, 00000018.00000002.6253487023.0000000001071000.00000004.00000001.sdmp String found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/%%doc-08-4k-docs.googleusercontent.com
Source: RegAsm.exe, 00000018.00000003.2375703066.0000000001052000.00000004.00000001.sdmp String found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/A
Source: RegAsm.exe, 00000018.00000003.2375703066.0000000001052000.00000004.00000001.sdmp String found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/L
Source: RegAsm.exe, 00000018.00000003.2090010661.0000000001095000.00000004.00000001.sdmp String found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3ec96pm2
Source: RegAsm.exe, 00000018.00000002.6251289990.0000000001025000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000018.00000002.6251289990.0000000001025000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/M(
Source: RegAsm.exe, 00000018.00000002.6251289990.0000000001025000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6249062375.0000000000DD0000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ
Source: RegAsm.exe, 00000018.00000002.6251289990.0000000001025000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ4&/
Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJTad-woJtmtPfZ2CsQ
Source: RegAsm.exe, 00000018.00000002.6271466911.000000001DD7C000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app
Source: RegAsm.exe, 00000018.00000002.6271466911.000000001DD7C000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: RegAsm.exe, 00000018.00000002.6271466911.000000001DD7C000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/102.129.143.96
Source: RegAsm.exe, 00000018.00000002.6272163007.000000001DDE1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 00000018.00000002.6272163007.000000001DDE1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 00000018.00000002.6272163007.000000001DDE1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 00000018.00000002.6272163007.000000001DDE1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: RegAsm.exe, 00000018.00000002.6272576739.000000001DE08000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3ec96pm2v8cjj8osvev6ltnouevou20i/1634121375000/08714151441044389622/*/1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-4k-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.143.96 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49758 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: Statement of Account.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00401868 0_2_00401868
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_0040228E 0_2_0040228E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403253 0_2_00403253
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_0040346F 0_2_0040346F
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403612 0_2_00403612
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004032D9 0_2_004032D9
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004034FC 0_2_004034FC
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403353 0_2_00403353
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004033E4 0_2_004033E4
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403583 0_2_00403583
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004031B3 0_2_004031B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0CCC8 24_2_00A0CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0F838 24_2_00A0F838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0C418 24_2_00A0C418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0C870 24_2_00A0C870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0D9D0 24_2_00A0D9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0D120 24_2_00A0D120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0D578 24_2_00A0D578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0E280 24_2_00A0E280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0E6D8 24_2_00A0E6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0DE28 24_2_00A0DE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A02208 24_2_00A02208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0EF88 24_2_00A0EF88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A097E0 24_2_00A097E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0F3E0 24_2_00A0F3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A06728 24_2_00A06728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0EB30 24_2_00A0EB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0CCB8 24_2_00A0CCB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0F828 24_2_00A0F828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0C408 24_2_00A0C408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0C86C 24_2_00A0C86C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A05D80 24_2_00A05D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A021FA 24_2_00A021FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0D9C0 24_2_00A0D9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A05923 24_2_00A05923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0D111 24_2_00A0D111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0D569 24_2_00A0D569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A05D70 24_2_00A05D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0E6C8 24_2_00A0E6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0BA30 24_2_00A0BA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0DE18 24_2_00A0DE18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0E271 24_2_00A0E271
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A097CF 24_2_00A097CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0F3DC 24_2_00A0F3DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0EB21 24_2_00A0EB21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00A0EF79 24_2_00A0EF79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABEDF0 24_2_1DABEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DAB2F0A 24_2_1DAB2F0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABCE48 24_2_1DABCE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABE990 24_2_1DABE990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABD9D1 24_2_1DABD9D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABFB11 24_2_1DABFB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DAB5A68 24_2_1DAB5A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DAB4440 24_2_1DAB4440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABF6B0 24_2_1DABF6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DAB9148 24_2_1DAB9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DAB6090 24_2_1DAB6090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABE2D0 24_2_1DABE2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABF252 24_2_1DABF252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABC368 24_2_1DABC368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABC357 24_2_1DABC357
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABE2C1 24_2_1DABE2C1
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: String function: 0040177E appears 94 times
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Statement of Account.exe Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: Statement of Account.exe, 00000000.00000002.2113856348.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUnnec1.exeFE2X vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000000.1194085530.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUnnec1.exe vs Statement of Account.exe
Source: Statement of Account.exe Binary or memory string: OriginalFilenameUnnec1.exe vs Statement of Account.exe
PE file contains strange resources
Source: Statement of Account.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Statement of Account.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe Section loaded: edgegdi.dll Jump to behavior
Source: Statement of Account.exe Virustotal: Detection: 21%
Source: Statement of Account.exe ReversingLabs: Detection: 23%
Source: Statement of Account.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Statement of Account.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Statement of Account.exe 'C:\Users\user\Desktop\Statement of Account.exe'
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe'
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe' Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@7/0@4/4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1572:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1572:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403F55 push 00000043h; ret 0_2_00403F65
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004021A3 push FFFFFFC6h; retf 0_2_00402213
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004067B9 push eax; retf 0_2_004067BA
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_02273C40 push esi; iretd 0_2_02273C41
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_02270EF6 push BA9255A5h; ret 0_2_02270F1A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_022728FC pushfd ; ret 0_2_02272908
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_02270F14 push BA9255A5h; ret 0_2_02270F1A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_02273362 push cs; ret 0_2_02273364
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_02272B4E push ss; retf 0_2_02272B5B
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_02272DCD push cs; iretd 0_2_02272DCE
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_022733C8 pushfd ; ret 0_2_022733CE
Source: initial sample Static PE information: section name: .text entropy: 6.83550763896
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Statement of Account.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Statement of Account.exe, 00000000.00000002.2113295869.0000000002250000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: RegAsm.exe, 00000018.00000002.6249062375.0000000000DD0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1FUTTG-3DZNTLASXF1YPDYHIZZ_WIO3SJ
Source: Statement of Account.exe, 00000000.00000002.2113295869.0000000002250000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6249062375.0000000000DD0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe System information queried: ModuleInformation Jump to behavior
Source: Statement of Account.exe, 00000000.00000002.2115655986.00000000047E9000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Statement of Account.exe, 00000000.00000002.2115655986.00000000047E9000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: Statement of Account.exe, 00000000.00000002.2115655986.00000000047E9000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Statement of Account.exe, 00000000.00000002.2115655986.00000000047E9000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: RegAsm.exe, 00000018.00000002.6253487023.0000000001071000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWr
Source: Statement of Account.exe, 00000000.00000002.2115655986.00000000047E9000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: RegAsm.exe, 00000018.00000002.6252181166.0000000001044000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Statement of Account.exe, 00000000.00000002.2113295869.0000000002250000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6249062375.0000000000DD0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Statement of Account.exe, 00000000.00000002.2115655986.00000000047E9000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Statement of Account.exe, 00000000.00000002.2115655986.00000000047E9000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Statement of Account.exe, 00000000.00000002.2115655986.00000000047E9000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: RegAsm.exe, 00000018.00000002.6249062375.0000000000DD0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ
Source: RegAsm.exe, 00000018.00000002.6259539554.00000000028E9000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: Statement of Account.exe, 00000000.00000002.2113295869.0000000002250000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Statement of Account.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_0040228E mov ebx, dword ptr fs:[00000030h] 0_2_0040228E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004031B3 mov ebx, dword ptr fs:[00000030h] 0_2_004031B3
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Statement of Account.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_1DABCE48 LdrInitializeThunk, 24_2_1DABCE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Statement of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B60000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe' Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe' Jump to behavior
Source: RegAsm.exe, 00000018.00000002.6257959378.0000000001490000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000021.00000002.6248640820.0000017B942B0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000018.00000002.6257959378.0000000001490000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000021.00000002.6248640820.0000017B942B0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000018.00000002.6257959378.0000000001490000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000021.00000002.6248640820.0000017B942B0000.00000002.00020000.sdmp Binary or memory string: BProgram Manager=j
Source: RegAsm.exe, 00000018.00000002.6257959378.0000000001490000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000021.00000002.6248640820.0000017B942B0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: RegAsm.exe, 00000018.00000002.6269476123.000000001DCC1000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7740, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs