Windows Analysis Report Fra FAC-ES101-2107-03806.doc.exe

Overview

General Information

Sample Name: Fra FAC-ES101-2107-03806.doc.exe
Analysis ID: 1639
MD5: 18b804e21a3c1c80c195e7d20dc38477
SHA1: 9622e70cd6db56de3488e99cd18c5f51e54afb64
SHA256: cbc14388711803d5a3f90396d4d33c9b3da952c37a5d919daed329cbd487c1b4
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: Fra FAC-ES101-2107-03806.doc.exe.8172.0.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comnoekon2ti@gmail.com"}
Multi AV Scanner detection for submitted file
Source: Fra FAC-ES101-2107-03806.doc.exe Virustotal: Detection: 61% Perma Link
Source: Fra FAC-ES101-2107-03806.doc.exe Metadefender: Detection: 34% Perma Link
Source: Fra FAC-ES101-2107-03806.doc.exe ReversingLabs: Detection: 53%
Antivirus / Scanner detection for submitted sample
Source: Fra FAC-ES101-2107-03806.doc.exe Avira: detected
Antivirus detection for URL or domain
Source: http://mail.tccinfaes.com Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: mail.tccinfaes.com Virustotal: Detection: 11% Perma Link
Source: http://mail.tccinfaes.com Virustotal: Detection: 11% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.Fra FAC-ES101-2107-03806.doc.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.gblpr

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014A9508 CryptUnprotectData, 27_2_014A9508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014A9C50 CryptUnprotectData, 27_2_014A9C50

Compliance:

barindex
Uses 32bit PE files
Source: Fra FAC-ES101-2107-03806.doc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.20:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49756 version: TLS 1.2

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.93.227.195 188.93.227.195
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/qc1fdhq835moktnu71nht8627dleqonv/1634123175000/00240525256395999725/*/1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-ak-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49768 -> 188.93.227.195:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49768 -> 188.93.227.195:587
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5640613473.000000001DE54000.00000004.00000001.sdmp String found in binary or memory: http://L3TFBaO3nLwUP4KRw.com
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: http://L3TFBaO3nLwUP4KRw.comt-
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: http://aSuCYu.com
Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 0000001B.00000002.5646495418.000000001FF1B000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 0000001B.00000002.5646495418.000000001FF1B000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.27.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 0000001B.00000002.5640852632.000000001DE6C000.00000004.00000001.sdmp String found in binary or memory: http://mail.tccinfaes.com
Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmp String found in binary or memory: http://r3.i.lencr.org/0)
Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 0000001B.00000002.5640852632.000000001DE6C000.00000004.00000001.sdmp String found in binary or memory: http://tccinfaes.com
Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmp, 2D85F72862B55C4EADD9E66E06947F3D.27.dr String found in binary or memory: http://x1.i.lencr.org/
Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmp String found in binary or memory: https://doc-04-ak-docs.googleusercontent.com/
Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmp String found in binary or memory: https://doc-04-ak-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/qc1fdhq8
Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmp String found in binary or memory: https://doc-04-ak-docs.googleusercontent.com/q
Source: RegAsm.exe, 0000001B.00000002.5623186100.000000000107A000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 0000001B.00000002.5623186100.000000000107A000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/(&
Source: RegAsm.exe, 0000001B.00000002.5622662843.0000000000EF0000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe
Source: RegAsm.exe, 0000001B.00000002.5623186100.000000000107A000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSed
Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSezw3D3zbFqIK2JnI8U
Source: RegAsm.exe, 0000001B.00000002.5640184321.000000001DDFE000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: RegAsm.exe, 0000001B.00000002.5640184321.000000001DDFE000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/qc1fdhq835moktnu71nht8627dleqonv/1634123175000/00240525256395999725/*/1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-ak-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.20:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49756 version: TLS 1.2

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D Jump to dropped file

System Summary:

barindex
Uses 32bit PE files
Source: Fra FAC-ES101-2107-03806.doc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_004016F4 0_2_004016F4
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00401741 0_2_00401741
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00401505 0_2_00401505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C41130 27_2_00C41130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C43A50 27_2_00C43A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C4BA70 27_2_00C4BA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C44320 27_2_00C44320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C4C7D0 27_2_00C4C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C43708 27_2_00C43708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00CA08F8 27_2_00CA08F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00CA6EA0 27_2_00CA6EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00D0BEE1 27_2_00D0BEE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00D0BFBB 27_2_00D0BFBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0139DC28 27_2_0139DC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_013997F0 27_2_013997F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0139D7D0 27_2_0139D7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0139BE50 27_2_0139BE50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_013942F3 27_2_013942F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_013944F8 27_2_013944F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_01397E00 27_2_01397E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014AF9E0 27_2_014AF9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014A0040 27_2_014A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014A6068 27_2_014A6068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014AE7A4 27_2_014AE7A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014AAA68 27_2_014AAA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014A7228 27_2_014A7228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_014A721F 27_2_014A721F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_1DCE5E08 27_2_1DCE5E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_1DCE4ACC 27_2_1DCE4ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_1DCE5D20 27_2_1DCE5D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_1DCE6AF1 27_2_1DCE6AF1
Sample file is different than original file name gathered from version info
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1174144140.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
Source: Fra FAC-ES101-2107-03806.doc.exe Binary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edgegdi.dll Jump to behavior
Source: Fra FAC-ES101-2107-03806.doc.exe Virustotal: Detection: 61%
Source: Fra FAC-ES101-2107-03806.doc.exe Metadefender: Detection: 34%
Source: Fra FAC-ES101-2107-03806.doc.exe ReversingLabs: Detection: 53%
Source: Fra FAC-ES101-2107-03806.doc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe File created: C:\Users\user\AppData\Local\Temp\~DF9F977EEEC1DB0140.TMP Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@8/5@4/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2880:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2880:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1175708620.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00404871 pushfd ; ret 0_2_00404883
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00404A8E push ebx; iretd 0_2_00404A5D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00403901 push FFFFFF9Dh; ret 0_2_00403903
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB26AD push es; ret 0_2_02AB26B0
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB64B8 push es; ret 0_2_02AB6510
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB64B5 push es; ret 0_2_02AB6510
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB2E8D push 0000002Ah; ret 0_2_02AB2E8F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB429C push edi; retf 0_2_02AB42A0
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB6428 push es; ret 0_2_02AB6510
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB5A21 push FFFFFF83h; retf 0_2_02AB5A30
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB6503 push es; ret 0_2_02AB6510
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB511D push esp; ret 0_2_02AB5124
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02AB2B4C push ebx; retf 0_2_02AB2B53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C4E5D8 push ds; iretd 27_2_00C4E6E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C4E5C8 push ds; iretd 27_2_00C4E5CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C4C6C1 push es; iretd 27_2_00C4C6C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C4C7C8 push es; iretd 27_2_00C4C7CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C4D780 push ss; iretd 27_2_00C4D782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00CA1A20 push ds; ret 27_2_00CA1B1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0139D7D0 pushfd ; iretd 27_2_0139DB7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0139DB80 pushfd ; iretd 27_2_0139DB82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0139DBD0 pushfd ; iretd 27_2_0139DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_01396A90 push edx; iretd 27_2_01396A92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_01396A89 push esp; iretd 27_2_01396A8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0139F2C1 push E9200622h; ret 27_2_0139F2C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_01397C88 pushad ; iretd 27_2_01397C89

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: doc.exe Static PE information: Fra FAC-ES101-2107-03806.doc.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 0000001B.00000002.5622662843.0000000000EF0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1SPPHH_DRSUT3UES4UDZECLKCI9PQFISE
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1175805374.0000000002AD0000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5622662843.0000000000EF0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1175805374.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4928 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9937 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe System information queried: ModuleInformation Jump to behavior
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1177269866.0000000004C19000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1177269866.0000000004C19000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1177269866.0000000004C19000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1177269866.0000000004C19000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1177269866.0000000004C19000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1175805374.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: RegAsm.exe, 0000001B.00000002.5623186100.000000000107A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000001B.00000002.5624448951.00000000010EF000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWf
Source: RegAsm.exe, 0000001B.00000002.5622662843.0000000000EF0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1175805374.0000000002AD0000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5622662843.0000000000EF0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1177269866.0000000004C19000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1177269866.0000000004C19000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1177269866.0000000004C19000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: RegAsm.exe, 0000001B.00000002.5630792884.0000000002B49000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_00C46948 KiUserExceptionDispatcher,LdrInitializeThunk, 27_2_00C46948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
Source: RegAsm.exe, 0000001B.00000002.5629686618.00000000016F1000.00000002.00020000.sdmp Binary or memory string: Program Managerh
Source: RegAsm.exe, 0000001B.00000002.5629686618.00000000016F1000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000001B.00000002.5629686618.00000000016F1000.00000002.00020000.sdmp Binary or memory string: Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2796, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2796, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2796, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs