Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTATION OF EQUIPMENT.exe

Overview

General Information

Sample Name:QUOTATION OF EQUIPMENT.exe
Analysis ID:502687
MD5:6f058c62ace41a97a12e6e7a47c9c76e
SHA1:9c5e94ba757e2387a510bc10559136cb308ce535
SHA256:713bcae8bce87e51a3b3f1448d816dce365302918c476d4bbe964b4834db3ccf
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • QUOTATION OF EQUIPMENT.exe (PID: 6748 cmdline: 'C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe' MD5: 6F058C62ACE41A97A12E6E7A47C9C76E)
    • QUOTATION OF EQUIPMENT.exe (PID: 6716 cmdline: 'C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe' MD5: 6F058C62ACE41A97A12E6E7A47C9C76E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.omindexgroup.com/", "Username": "info@omindexgroup.com", "Password": "tlW}sP3mS7Z3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.567930918.0000000003331000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.567930918.0000000003331000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.307528948.0000000002440000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.307528948.0000000002440000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.566777680.00000000022E0000.00000004.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.QUOTATION OF EQUIPMENT.exe.3335530.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.QUOTATION OF EQUIPMENT.exe.3335530.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.QUOTATION OF EQUIPMENT.exe.415058.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.QUOTATION OF EQUIPMENT.exe.415058.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.QUOTATION OF EQUIPMENT.exe.2451458.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 25 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.QUOTATION OF EQUIPMENT.exe.415058.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.omindexgroup.com/", "Username": "info@omindexgroup.com", "Password": "tlW}sP3mS7Z3"}
                      Machine Learning detection for sampleShow sources
                      Source: QUOTATION OF EQUIPMENT.exeJoe Sandbox ML: detected
                      Source: 1.2.QUOTATION OF EQUIPMENT.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeUnpacked PE file: 1.2.QUOTATION OF EQUIPMENT.exe.400000.1.unpack
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeUnpacked PE file: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack
                      Source: QUOTATION OF EQUIPMENT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: QUOTATION OF EQUIPMENT.exe, 00000000.00000003.306358828.000000000F0D0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: QUOTATION OF EQUIPMENT.exe, 00000000.00000003.306358828.000000000F0D0000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,0_2_00405E93
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054BD
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_00404A29 FindFirstFileExW,1_2_00404A29

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.3:49832 -> 192.119.9.178:21
                      Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.3:49833 -> 192.119.9.178:55115
                      Source: Joe Sandbox ViewASN Name: 24SHELLSUS 24SHELLSUS
                      Source: Joe Sandbox ViewIP Address: 192.119.9.178 192.119.9.178
                      Source: unknownFTP traffic detected: 192.119.9.178:21 -> 192.168.2.3:49832 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:49. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:49. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: ftp://ftp.omindexgroup.com/info
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: http://ftp.omindexgroup.com
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp, QUOTATION OF EQUIPMENT.exe, 00000001.00000003.514210140.00000000005C4000.00000004.00000001.sdmpString found in binary or memory: http://kMfms0NpHAa2q.org
                      Source: QUOTATION OF EQUIPMENT.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: QUOTATION OF EQUIPMENT.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: http://yJUdUS.com
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: QUOTATION OF EQUIPMENT.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: ftp.omindexgroup.com
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FC2

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: QUOTATION OF EQUIPMENT.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack, u003cPrivateImplementationDetailsu003eu007bADDD92D2u002d841Au002d42EAu002dB77Cu002d1470A1722442u007d/u00347097661u002d7D05u002d4653u002d940Au002dC774450E8E39.csLarge array initialization: .cctor: array initializer size 11940
                      Source: QUOTATION OF EQUIPMENT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030FB
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_004047D30_2_004047D3
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_004061D40_2_004061D4
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_72E46A240_2_72E46A24
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_72E46A330_2_72E46A33
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_0040A2A51_2_0040A2A5
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_021846A01_2_021846A0
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_021845B01_2_021845B0
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_0218D3101_2_0218D310
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_059297901_2_05929790
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_059246F81_2_059246F8
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_059253101_2_05925310
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_0592E2601_2_0592E260
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_05924A401_2_05924A40
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_05EB0EA01_2_05EB0EA0
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_1_0040A2A51_1_0040A2A5
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: String function: 00401ED0 appears 46 times
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: String function: 0040569E appears 36 times
                      Source: QUOTATION OF EQUIPMENT.exe, 00000000.00000003.297338018.000000000F1E6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION OF EQUIPMENT.exe
                      Source: QUOTATION OF EQUIPMENT.exe, 00000000.00000002.307528948.0000000002440000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameeoQopvcgKxToaqzqUBTWKQEmbNlozHuMTqggKL.exe4 vs QUOTATION OF EQUIPMENT.exe
                      Source: QUOTATION OF EQUIPMENT.exeBinary or memory string: OriginalFilename vs QUOTATION OF EQUIPMENT.exe
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.567930918.0000000003331000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameeoQopvcgKxToaqzqUBTWKQEmbNlozHuMTqggKL.exe4 vs QUOTATION OF EQUIPMENT.exe
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.565195545.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTATION OF EQUIPMENT.exe
                      Source: QUOTATION OF EQUIPMENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeFile read: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeJump to behavior
                      Source: QUOTATION OF EQUIPMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe 'C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe'
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess created: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe 'C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe'
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess created: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe 'C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeFile created: C:\Users\user\AppData\Roaming\newappJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeFile created: C:\Users\user\AppData\Local\Temp\nscC7D6.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@1/1
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,0_2_00402053
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404292
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,1_2_00401489
                      Source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: wntdll.pdbUGP source: QUOTATION OF EQUIPMENT.exe, 00000000.00000003.306358828.000000000F0D0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: QUOTATION OF EQUIPMENT.exe, 00000000.00000003.306358828.000000000F0D0000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeUnpacked PE file: 1.2.QUOTATION OF EQUIPMENT.exe.400000.1.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeUnpacked PE file: 1.2.QUOTATION OF EQUIPMENT.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeUnpacked PE file: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_72E41080 push eax; ret 0_2_72E410AE
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_00401F16 push ecx; ret 1_2_00401F29
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_1_00401F16 push ecx; ret 1_1_00401F29
                      Source: QUOTATION OF EQUIPMENT.exeStatic PE information: real checksum: 0x0 should be: 0x6e839
                      Source: eluwnahujm.dll.0.drStatic PE information: real checksum: 0xca76 should be: 0x1039d
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeFile created: C:\Users\user\AppData\Local\Temp\nsxC806.tmp\eluwnahujm.dllJump to dropped file
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe TID: 1304Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe TID: 3604Thread sleep count: 756 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe TID: 3604Thread sleep count: 9099 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeWindow / User API: threadDelayed 756Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeWindow / User API: threadDelayed 9099Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,0_2_00405E93
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054BD
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeCode function: 1_2_00404A29 FindFirstFileExW,1_2_00404A29
                      Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566108651.000000000078B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPow