Windows Analysis Report Euro invoice.exe

Overview

General Information

Sample Name: Euro invoice.exe
Analysis ID: 528711
MD5: 15f79ec8cfa1ad6c24767d4ca45aa4cd
SHA1: 3b48453cc5680c048880bb0c4f0f19f34fdf1da7
SHA256: 49d22404c910a5bd1b6e13d92bb411b826edfc42fd680cfaa90ffb23ecc3a195
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.Euro invoice.exe.442a590.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "support25@vrlogistic.net", "Password": "support25!@#$", "Host": "mail.vrlogistic.net"}
Multi AV Scanner detection for submitted file
Source: Euro invoice.exe ReversingLabs: Detection: 33%
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.RegSvcs.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.2.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 5.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.3.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Euro invoice.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Euro invoice.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.504305930.0000000005D48000.00000004.00000001.sdmp, kprUEGC.exe, 0000000B.00000000.366836955.0000000000A12000.00000002.00020000.sdmp, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr
Source: Binary string: RegSvcs.pdb source: kprUEGC.exe, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49840 -> 148.66.138.164:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49840 -> 148.66.138.164:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49840 -> 148.66.138.164:587
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://Fedebu.com
Source: RegSvcs.exe, 00000005.00000002.558309682.0000000005D30000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft.co)X
Source: RegSvcs.exe, 00000005.00000002.557542494.0000000002E8A000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.557645745.0000000002EC1000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.557664034.0000000002ECD000.00000004.00000001.sdmp String found in binary or memory: http://k5CVS3sUuqbD95uELlH.net
Source: RegSvcs.exe, 00000005.00000002.557645745.0000000002EC1000.00000004.00000001.sdmp String found in binary or memory: http://mail.vrlogistic.net
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: mail.vrlogistic.net

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Euro invoice.exe
.NET source code contains very large array initializations
Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs Large array initialization: .cctor: array initializer size 11964
Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs Large array initialization: .cctor: array initializer size 11964
Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs Large array initialization: .cctor: array initializer size 11964
Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs Large array initialization: .cctor: array initializer size 11964
Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs Large array initialization: .cctor: array initializer size 11964
Source: 5.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs Large array initialization: .cctor: array initializer size 11964
Uses 32bit PE files
Source: Euro invoice.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_0319A710 1_2_0319A710
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_031904D8 1_2_031904D8
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_03190856 1_2_03190856
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_031918F0 1_2_031918F0
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_03191C02 1_2_03191C02
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_03190880 1_2_03190880
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_03191991 1_2_03191991
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_05FB0AE0 1_2_05FB0AE0
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_05FB8330 1_2_05FB8330
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_05FB8320 1_2_05FB8320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_010A85C8 5_2_010A85C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_010A3960 5_2_010A3960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_010A8D08 5_2_010A8D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_010ACDA8 5_2_010ACDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_010A8E08 5_2_010A8E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_013047A0 5_2_013047A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01304718 5_2_01304718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05536508 5_2_05536508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05537120 5_2_05537120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05536850 5_2_05536850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_055390D8 5_2_055390D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05532260 5_2_05532260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05532229 5_2_05532229
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0553BEB8 appears 48 times
Sample file is different than original file name gathered from version info
Source: Euro invoice.exe Binary or memory string: OriginalFilename vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.307877674.0000000005FA0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamexXvmOuTrUsJTERPkUCRhPLSavHyJIBpEM.exe4 vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamexXvmOuTrUsJTERPkUCRhPLSavHyJIBpEM.exe4 vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.308107167.0000000006770000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs Euro invoice.exe
Source: Euro invoice.exe Binary or memory string: OriginalFilenameFileSecurityStateAcce.exe. vs Euro invoice.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
Source: Euro invoice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Euro invoice.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\Euro invoice.exe File read: C:\Users\user\Desktop\Euro invoice.exe:Zone.Identifier Jump to behavior
Source: Euro invoice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Euro invoice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Euro invoice.exe "C:\Users\user\Desktop\Euro invoice.exe"
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Euro invoice.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Euro invoice.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@11/6@1/1
Source: C:\Users\user\Desktop\Euro invoice.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Mutant created: \Sessions\1\BaseNamedObjects\bSIqof
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
Source: C:\Users\user\Desktop\Euro invoice.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
Source: Euro invoice.exe String found in binary or memory: views/addcustomer.baml
Source: Euro invoice.exe String found in binary or memory: views/addbook.baml
Source: Euro invoice.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Euro invoice.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Euro invoice.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.504305930.0000000005D48000.00000004.00000001.sdmp, kprUEGC.exe, 0000000B.00000000.366836955.0000000000A12000.00000002.00020000.sdmp, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr
Source: Binary string: RegSvcs.pdb source: kprUEGC.exe, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Euro invoice.exe, u002d/li1lll1i1IIl.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Euro invoice.exe.e70000.0.unpack, u002d/li1lll1i1IIl.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Euro invoice.exe.e70000.0.unpack, u002d/li1lll1i1IIl.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Euro invoice.exe Code function: 1_2_05FB7003 pushad ; ret 1_2_05FB7019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0553EC22 pushad ; ret 5_2_0553EC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05537AE8 push 8BF04589h; iretd 5_2_05537B74
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 11_2_02C1049B push esp; ret 11_2_02C1049E
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 11_2_02C10438 push ebx; ret 11_2_02C10442
Source: initial sample Static PE information: section name: .text entropy: 7.91256606252

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Euro invoice.exe PID: 5764, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Euro invoice.exe, 00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmp, Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Euro invoice.exe, 00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmp, Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -239828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 3076 Thread sleep count: 3501 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 3076 Thread sleep count: 1881 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 4448 Thread sleep time: -35344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -239719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -239609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -239499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -239391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -239281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -239141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -239016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -238906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -238750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -238625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -238516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -238391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -238262s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -238155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -238046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -237750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -237344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -237219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -237109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -237000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -236891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -236781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -236672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -236563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -236250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -236000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -235828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -235719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -235594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -235344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -235047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -234891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -234750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -234438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -234124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -234016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804 Thread sleep time: -233904s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 6948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 7064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239828 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239719 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239609 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239499 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239391 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239281 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239141 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239016 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238906 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238750 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238625 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238516 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238391 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238262 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238155 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238046 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237750 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237344 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237219 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237109 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237000 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236891 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236781 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236672 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236563 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236250 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236000 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235828 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235719 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235594 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235344 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235047 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234891 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234750 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234438 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234124 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234016 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 233904 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Euro invoice.exe Window / User API: threadDelayed 3501 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Window / User API: threadDelayed 1881 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1387 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8460 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Euro invoice.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239828 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 35344 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239719 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239609 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239499 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239391 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239281 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239141 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 239016 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238906 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238750 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238625 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238516 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238391 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238262 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238155 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 238046 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237750 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237344 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237219 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237109 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 237000 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236891 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236781 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236672 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236563 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236250 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 236000 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235828 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235719 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235594 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235344 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 235047 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234891 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234750 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234438 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234124 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 234016 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 233904 Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp Binary or memory string: vmware
Source: RegSvcs.exe, 00000005.00000002.558309682.0000000005D30000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Euro invoice.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_010A1668 LdrInitializeThunk, 5_2_010A1668
Source: C:\Users\user\Desktop\Euro invoice.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: RegSvcs.exe, 00000005.00000002.556525768.0000000001520000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000005.00000002.556525768.0000000001520000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000005.00000002.556525768.0000000001520000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegSvcs.exe, 00000005.00000002.556525768.0000000001520000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Users\user\Desktop\Euro invoice.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Euro invoice.exe.43f4370.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Euro invoice.exe.442a590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Euro invoice.exe.442a590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Euro invoice.exe.43f4370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.555012812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.301228318.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.301544844.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Euro invoice.exe PID: 5764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6980, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6980, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Euro invoice.exe.43f4370.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Euro invoice.exe.442a590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Euro invoice.exe.442a590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Euro invoice.exe.43f4370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.555012812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.301228318.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.301544844.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Euro invoice.exe PID: 5764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6980, type: MEMORYSTR