Windows Analysis Report
QT_0948765446-NMPMUST-9876563783.exe

Overview

General Information

Sample Name: QT_0948765446-NMPMUST-9876563783.exe
Analysis ID: 628420
MD5: 155a8b146f63fcecc360cc1162974373
SHA1: 7abaf8a0df564b853227fdb8a614e7f8ba3edd15
SHA256: 361deb3d9ef665902441a554d099bd5e43266cd6320ef84facacdee256d325bd
Infos:

Detection

NanoCore, GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: NanoCore
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000E.00000000.2626503935.0000000000D00000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X"}
Uses 32bit PE files
Source: QT_0948765446-NMPMUST-9876563783.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.212.129:443 -> 192.168.11.20:49762 version: TLS 1.2
Source: QT_0948765446-NMPMUST-9876563783.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\caspol.pdbO source: CasPol.exe, 0000000E.00000003.4494173257.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100038167.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4620929748.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot0nf77q6jqiqi74hke0fspqmeou4ksp/1652799000000/00504591766740753318/*/15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-38-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49763 -> 91.193.75.131:8476
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 0000000E.00000003.4494173257.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.2795272185.0000000001015000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.2789751149.0000000001015000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100038167.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4620929748.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 0000000E.00000003.4494173257.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.2795272185.0000000001015000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.2789751149.0000000001015000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100038167.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4620929748.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: QT_0948765446-NMPMUST-9876563783.exe, qindarka.exe.14.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 0000000E.00000003.4620731373.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3099773700.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4493817238.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-08-38-docs.googleusercontent.com/
Source: CasPol.exe, 0000000E.00000003.4494173257.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.2795272185.0000000001015000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.2789751149.0000000001015000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100038167.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4620929748.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-08-38-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot0nf77q
Source: CasPol.exe, 0000000E.00000003.4620731373.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3099773700.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4493817238.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-08-38-docs.googleusercontent.com/g
Source: CasPol.exe, 0000000E.00000003.4255498172.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4089182342.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4432529097.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4146600706.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3099773700.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4181477384.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100680425.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 0000000E.00000003.4255498172.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4089182342.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4432529097.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4146600706.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4181477384.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100680425.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X
Source: CasPol.exe, 0000000E.00000003.4255498172.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4089182342.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4432529097.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4146600706.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4181477384.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100680425.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X(
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot0nf77q6jqiqi74hke0fspqmeou4ksp/1652799000000/00504591766740753318/*/15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-38-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.212.129:443 -> 192.168.11.20:49762 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809
Uses 32bit PE files
Source: QT_0948765446-NMPMUST-9876563783.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_70F51BFF 0_2_70F51BFF
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D25D5 0_2_032D25D5
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D3CF5 0_2_032D3CF5
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C732A 0_2_032C732A
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D4B25 0_2_032D4B25
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C5730 0_2_032C5730
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C0700 0_2_032C0700
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C575E 0_2_032C575E
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C53BE 0_2_032C53BE
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C5BB6 0_2_032C5BB6
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032CB395 0_2_032CB395
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C73FF 0_2_032C73FF
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C57D1 0_2_032C57D1
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D4A3E 0_2_032D4A3E
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D2231 0_2_032D2231
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C5A11 0_2_032C5A11
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C72A0 0_2_032C72A0
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C568B 0_2_032C568B
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C729A 0_2_032C729A
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D4297 0_2_032D4297
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C5AFE 0_2_032C5AFE
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C5935 0_2_032C5935
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C5D0E 0_2_032C5D0E
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C758D 0_2_032C758D
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D4DCA 0_2_032D4DCA
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C55C6 0_2_032C55C6
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C59D5 0_2_032C59D5
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C5808 0_2_032C5808
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C587A 0_2_032C587A
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C74B2 0_2_032C74B2
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C54FC 0_2_032C54FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 19_2_04D004B0 19_2_04D004B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 19_2_04D00938 19_2_04D00938
Contains functionality to call native functions
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D5DCF NtProtectVirtualMemory, 0_2_032D5DCF
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D6480 NtResumeThread, 0_2_032D6480
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D3CF5 NtAllocateVirtualMemory, 0_2_032D3CF5
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process Stats: CPU usage > 98%
PE file does not import any functions
Source: library.dll.0.dr Static PE information: No import functions for PE file found
PE file contains strange resources
Source: QT_0948765446-NMPMUST-9876563783.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QT_0948765446-NMPMUST-9876563783.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QT_0948765446-NMPMUST-9876563783.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE file contains more sections than normal
Source: libpixbufloader-tiff.dll.0.dr Static PE information: Number of sections : 11 > 10
Source: library.dll.0.dr Static PE information: Section .rsrc
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe File read: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Jump to behavior
Source: QT_0948765446-NMPMUST-9876563783.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe"
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe"
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe"
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe"
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1B52.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe" Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe" Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe" Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1B52.tmp Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe File created: C:\Users\user\AppData\Local\Temp\nsv8DFF.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winEXE@15/17@36/3
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{a79e3faa-9eab-4550-93e8-967a30a2a789}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1604:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1604:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: QT_0948765446-NMPMUST-9876563783.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\caspol.pdbO source: CasPol.exe, 0000000E.00000003.4494173257.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100038167.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4620929748.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000000E.00000000.2626503935.0000000000D00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3285433939.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_70F530C0 push eax; ret 0_2_70F530EE
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C2E97 push AE322A75h; retf E248h 0_2_032C2F64
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C7F2D push cs; ret 0_2_032C7F2B
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C373C push FFFFFF84h; retf 0_2_032C3741
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C3314 pushad ; iretd 0_2_032C3315
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C7EED push cs; ret 0_2_032C7F2B
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C2EEB push AE322A75h; retf E248h 0_2_032C2F64
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C0DAB push eax; iretd 0_2_032C0DB0
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C6188 push esp; retf 0_2_032D1EFB
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C3C74 push es; retf 0_2_032C3C75
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C64A1 push esp; retf 0_2_032D1EFB
PE file contains sections with non-standard names
Source: libpixbufloader-tiff.dll.0.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_70F51BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_70F51BFF
Drops PE files
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe File created: C:\Users\user\AppData\Local\Temp\nsq8ECC.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe File created: C:\Users\user\AppData\Local\Temp\library.dll Jump to dropped file
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe File created: C:\Users\user\AppData\Local\Temp\libpixbufloader-tiff.dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1B52.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TIRLS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TIRLS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TIRLS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TIRLS Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285607259.00000000033D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285607259.00000000033D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7724 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3996 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3980 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\library.dll Jump to dropped file
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libpixbufloader-tiff.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C6C04 rdtsc 0_2_032C6C04
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 577 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 1125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: foregroundWindowGot 1488 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 0000000E.00000003.4494173257.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100038167.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4620929748.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWKA
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 0000000E.00000003.4255498172.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4089182342.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4494173257.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4432529097.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100038167.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4146600706.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4620929748.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4181477384.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3100680425.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285607259.00000000033D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285607259.00000000033D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: QT_0948765446-NMPMUST-9876563783.exe, 00000000.00000002.3285926325.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_70F51BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_70F51BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032C6C04 rdtsc 0_2_032C6C04
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032CB395 mov eax, dword ptr fs:[00000030h] 0_2_032CB395
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D3797 mov eax, dword ptr fs:[00000030h] 0_2_032D3797
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_032D4DCA mov eax, dword ptr fs:[00000030h] 0_2_032D4DCA
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: D00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe" Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe" Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe" Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1B52.tmp Jump to behavior
Source: CasPol.exe, 0000000E.00000003.2820224419.000000001F914000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerC:/Windows/Micr
Source: CasPol.exe, 0000000E.00000003.4181705491.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4432749643.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3889484300.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: CasPol.exe, 0000000E.00000003.3813457054.000000001F91F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.2887786854.000000001F920000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3925313301.000000001F91F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managersoft.NET\Framework\v2.0.50727\caspol.exe
Source: CasPol.exe, 0000000E.00000003.3813457054.000000001F91F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.2887786854.000000001F920000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3997063226.000000001F91F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managersoft.NET\Framework\v2.0.50727\caspol.exe
Source: CasPol.exe, 0000000E.00000003.4031388100.000000001F914000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.3862073877.000000001F914000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000E.00000003.4000202776.000000001F914000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managersoft.NET\Framework\v2.0.50727\caspol.exeC:/Windows/Micr
Source: CasPol.exe, 0000000E.00000003.2820274280.000000001F920000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager$
Source: CasPol.exe, 0000000E.00000003.2820274280.000000001F920000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager|
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 628420 Sample: QT_0948765446-NMPMUST-98765... Startdate: 17/05/2022 Architecture: WINDOWS Score: 88 44 googlehosted.l.googleusercontent.com 2->44 46 drive.google.com 2->46 48 doc-08-38-docs.googleusercontent.com 2->48 62 Found malware configuration 2->62 64 Sigma detected: NanoCore 2->64 66 Yara detected GuLoader 2->66 68 2 other signatures 2->68 9 QT_0948765446-NMPMUST-9876563783.exe 28 2->9         started        13 CasPol.exe 4 2->13         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\...\System.dll, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\library.dll, PE32 9->40 dropped 42 C:\Users\user\...\libpixbufloader-tiff.dll, PE32+ 9->42 dropped 70 Writes to foreign memory regions 9->70 72 Tries to detect Any.run 9->72 15 CasPol.exe 1 19 9->15         started        20 CasPol.exe 9->20         started        22 CasPol.exe 9->22         started        24 CasPol.exe 9->24         started        26 conhost.exe 13->26         started        signatures6 process7 dnsIp8 50 drive.google.com 142.250.185.78, 443, 49761 GOOGLEUS United States 15->50 52 googlehosted.l.googleusercontent.com 216.58.212.129, 443, 49762 GOOGLEUS United States 15->52 54 8476.hopto.org 91.193.75.131, 49782, 49784, 49785 DAVID_CRAIGGG Serbia 15->54 34 C:\Users\user\AppData\Roaming\...\run.dat, data 15->34 dropped 36 C:\Users\user\AppData\Local\...\tmp1B52.tmp, XML 15->36 dropped 56 Tries to detect Any.run 15->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->58 28 schtasks.exe 1 15->28         started        30 conhost.exe 15->30         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 20->60 file9 signatures10 process11 process12 32 conhost.exe 28->32         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.78
 drive.google.com United States
15169 GOOGLEUS false
216.58.212.129
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
91.193.75.131
 8476.hopto.org Serbia
209623 DAVID_CRAIGGG false

Contacted Domains

Name IP Active
drive.google.com 142.250.185.78 true
googlehosted.l.googleusercontent.com 216.58.212.129 true
8476.hopto.org 91.193.75.131 true
doc-08-38-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-08-38-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot0nf77q6jqiqi74hke0fspqmeou4ksp/1652799000000/00504591766740753318/*/15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X?e=download false
    		high