Loading ...

Play interactive tourEdit tour

Windows Analysis Report Fra FAC-ES101-2107-03806.doc.exe

Overview

General Information

Sample Name:Fra FAC-ES101-2107-03806.doc.exe
Analysis ID:1639
MD5:18b804e21a3c1c80c195e7d20dc38477
SHA1:9622e70cd6db56de3488e99cd18c5f51e54afb64
SHA256:cbc14388711803d5a3f90396d4d33c9b3da952c37a5d919daed329cbd487c1b4
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Fra FAC-ES101-2107-03806.doc.exe (PID: 8172 cmdline: 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' MD5: 18B804E21A3C1C80C195E7D20DC38477)
    • RegAsm.exe (PID: 2648 cmdline: 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 2792 cmdline: 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 2796 cmdline: 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 2880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comnoekon2ti@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1175708620.0000000002AB0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 2796JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 2796JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 188.93.227.195, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 2796, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49768

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: Fra FAC-ES101-2107-03806.doc.exe.8172.0.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comnoekon2ti@gmail.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Fra FAC-ES101-2107-03806.doc.exeVirustotal: Detection: 61%Perma Link
            Source: Fra FAC-ES101-2107-03806.doc.exeMetadefender: Detection: 34%Perma Link
            Source: Fra FAC-ES101-2107-03806.doc.exeReversingLabs: Detection: 53%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: Fra FAC-ES101-2107-03806.doc.exeAvira: detected
            Antivirus detection for URL or domainShow sources
            Source: http://mail.tccinfaes.comAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: mail.tccinfaes.comVirustotal: Detection: 11%Perma Link
            Source: http://mail.tccinfaes.comVirustotal: Detection: 11%Perma Link
            Source: 0.0.Fra FAC-ES101-2107-03806.doc.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.gblpr
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014A9508 CryptUnprotectData,27_2_014A9508
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014A9C50 CryptUnprotectData,27_2_014A9C50
            Source: Fra FAC-ES101-2107-03806.doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.20:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49756 version: TLS 1.2

            Networking:

            barindex
            Source: Joe Sandbox ViewASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Joe Sandbox ViewIP Address: 188.93.227.195 188.93.227.195
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/qc1fdhq835moktnu71nht8627dleqonv/1634123175000/00240525256395999725/*/1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-ak-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49768 -> 188.93.227.195:587
            Source: global trafficTCP traffic: 192.168.11.20:49768 -> 188.93.227.195:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.5640613473.000000001DE54000.00000004.00000001.sdmpString found in binary or memory: http://L3TFBaO3nLwUP4KRw.com
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: http://L3TFBaO3nLwUP4KRw.comt-
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: http://aSuCYu.com
            Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 0000001B.00000002.5646495418.000000001FF1B000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: RegAsm.exe, 0000001B.00000002.5646495418.000000001FF1B000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.27.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: RegAsm.exe, 0000001B.00000002.5640852632.000000001DE6C000.00000004.00000001.sdmpString found in binary or memory: http://mail.tccinfaes.com
            Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0)
            Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: RegAsm.exe, 0000001B.00000002.5640852632.000000001DE6C000.00000004.00000001.sdmpString found in binary or memory: http://tccinfaes.com
            Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmp, 2D85F72862B55C4EADD9E66E06947F3D.27.drString found in binary or memory: http://x1.i.lencr.org/
            Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmpString found in binary or memory: https://doc-04-ak-docs.googleusercontent.com/
            Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmpString found in binary or memory: https://doc-04-ak-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/qc1fdhq8
            Source: RegAsm.exe, 0000001B.00000002.5623907420.00000000010C0000.00000004.00000020.sdmpString found in binary or memory: https://doc-04-ak-docs.googleusercontent.com/q
            Source: RegAsm.exe, 0000001B.00000002.5623186100.000000000107A000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 0000001B.00000002.5623186100.000000000107A000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/(&
            Source: RegAsm.exe, 0000001B.00000002.5622662843.0000000000EF0000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe
            Source: RegAsm.exe, 0000001B.00000002.5623186100.000000000107A000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSed
            Source: RegAsm.exe, 0000001B.00000003.1147991565.0000000001100000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSezw3D3zbFqIK2JnI8U
            Source: RegAsm.exe, 0000001B.00000002.5640184321.000000001DDFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: RegAsm.exe, 0000001B.00000002.5640184321.000000001DDFE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: RegAsm.exe, 0000001B.00000002.5639470864.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/qc1fdhq835moktnu71nht8627dleqonv/1634123175000/00240525256395999725/*/1sPphH_DrSUT3UeS4UDzeclKCi9pqFiSe?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-ak-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.11.20:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49756 version: TLS 1.2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file
            Source: Fra FAC-ES101-2107-03806.doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_004016F40_2_004016F4
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_004017410_2_00401741
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_004015050_2_00401505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4113027_2_00C41130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C43A5027_2_00C43A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4BA7027_2_00C4BA70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4432027_2_00C44320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4C7D027_2_00C4C7D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4370827_2_00C43708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00CA08F827_2_00CA08F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00CA6EA027_2_00CA6EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00D0BEE127_2_00D0BEE1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00D0BFBB27_2_00D0BFBB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_0139DC2827_2_0139DC28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_013997F027_2_013997F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_0139D7D027_2_0139D7D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_0139BE5027_2_0139BE50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_013942F327_2_013942F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_013944F827_2_013944F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_01397E0027_2_01397E00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014AF9E027_2_014AF9E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014A004027_2_014A0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014A606827_2_014A6068
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014AE7A427_2_014AE7A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014AAA6827_2_014AAA68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014A722827_2_014A7228
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_014A721F27_2_014A721F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_1DCE5E0827_2_1DCE5E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_1DCE4ACC27_2_1DCE4ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_1DCE5D2027_2_1DCE5D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_1DCE6AF127_2_1DCE6AF1
            Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.1174144140.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
            Source: Fra FAC-ES101-2107-03806.doc.exeBinary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: Fra FAC-ES101-2107-03806.doc.exeVirustotal: Detection: 61%
            Source: Fra FAC-ES101-2107-03806.doc.exeMetadefender: Detection: 34%
            Source: Fra FAC-ES101-2107-03806.doc.exeReversingLabs: Detection: 53%
            Source: Fra FAC-ES101-2107-03806.doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3DJump to behavior
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9F977EEEC1DB0140.TMPJump to behavior
            Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@8/5@4/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2880:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2880:120:WilError_03
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000000.00000002.1175708620.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_00404871 pushfd ; ret 0_2_00404883
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_00404A8E push ebx; iretd 0_2_00404A5D
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_00403901 push FFFFFF9Dh; ret 0_2_00403903
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB26AD push es; ret 0_2_02AB26B0
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB64B8 push es; ret 0_2_02AB6510
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB64B5 push es; ret 0_2_02AB6510
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB2E8D push 0000002Ah; ret 0_2_02AB2E8F
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB429C push edi; retf 0_2_02AB42A0
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB6428 push es; ret 0_2_02AB6510
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB5A21 push FFFFFF83h; retf 0_2_02AB5A30
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB6503 push es; ret 0_2_02AB6510
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB511D push esp; ret 0_2_02AB5124
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02AB2B4C push ebx; retf 0_2_02AB2B53
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4E5D8 push ds; iretd 27_2_00C4E6E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4E5C8 push ds; iretd 27_2_00C4E5CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4C6C1 push es; iretd 27_2_00C4C6C2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4C7C8 push es; iretd 27_2_00C4C7CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00C4D780 push ss; iretd 27_2_00C4D782
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_00CA1A20 push ds; ret 27_2_00CA1B1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_0139D7D0 pushfd ; iretd 27_2_0139DB7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_0139DB80 pushfd ; iretd 27_2_0139DB82
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_0139DBD0 pushfd ; iretd 27_2_0139DBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_01396A90 push edx; iretd 27_2_01396A92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_01396A89 push esp; iretd 27_2_01396A8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_0139F2C1 push E9200622h; ret 27_2_0139F2C6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 27_2_01397C88 pushad ; iretd 27_2_01397C89

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: doc.exeStatic PE information: Fra FAC-ES101-2107-03806.doc.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe