Windows Analysis Report
72EED30398363-0983BNDJ0398763536.exe

Overview

General Information

Sample Name: 72EED30398363-0983BNDJ0398763536.exe
Analysis ID: 632155
MD5: 511ad0297cd3e268e8d0c53c1207dc95
SHA1: aa466a3c5fb1a4c3ae77835fc3d592e8f7a0679b
SHA256: c527fc06df0bca1fe6ef47ff82e1a858af8b50877d97446c7898e5d1a80146a3
Infos:

Detection

NanoCore, GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000007.00000000.48608364005.0000000000B00000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1xOEjCOqIA-Yci9ED_I139gMqhvvo_S5Y"}
Multi AV Scanner detection for submitted file
Source: 72EED30398363-0983BNDJ0398763536.exe Virustotal: Detection: 10% Perma Link
Uses 32bit PE files
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FLOKDYRS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 172.217.168.14:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.33:443 -> 192.168.11.20:49761 version: TLS 1.2
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: MapiProxy.pdb source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr
Source: Binary string: MapiProxy.pdb@ source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr
Source: Binary string: f:\bluetooth8.0.1.57\sw\src\WIN8_Mainline\ExtArch\UI\Win7UI\Prism\ObjectBuilder\obj\x64\Release\Microsoft.Practices.ObjectBuilder2.pdb source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, Microsoft.Practices.ObjectBuilder2.dll.1.dr
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405D74
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_0040699E FindFirstFileW,FindClose, 1_2_0040699E
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1xOEjCOqIA-Yci9ED_I139gMqhvvo_S5Y
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.193.75.131 91.193.75.131
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1xOEjCOqIA-Yci9ED_I139gMqhvvo_S5Y HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/i92dnrd5psv5u8m6hlf298ad6a41tmpe/1653299175000/00136562880816484603/*/1xOEjCOqIA-Yci9ED_I139gMqhvvo_S5Y?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-as-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49762 -> 91.193.75.131:8476
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000007.00000003.49064457046.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.48821940183.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.48815125200.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000007.00000003.49064457046.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.48821940183.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.48815125200.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, lang-1071.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 72EED30398363-0983BNDJ0398763536.exe, rapsende.exe.7.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, lang-1071.dll.1.dr String found in binary or memory: http://www.avast.com0/
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000007.00000003.48822321376.0000000001021000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-as-docs.googleusercontent.com/
Source: CasPol.exe, 00000007.00000003.49064457046.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.48821940183.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-as-docs.googleusercontent.com/%%doc-0c-as-docs.googleusercontent.com
Source: CasPol.exe, 00000007.00000003.49064870478.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-as-docs.googleusercontent.com/B
Source: CasPol.exe, 00000007.00000003.48822321376.0000000001021000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.48821940183.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.48815125200.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.49065049837.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.49063940613.0000000001021000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-as-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/i92dnrd5
Source: CasPol.exe, 00000007.00000003.49064870478.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-as-docs.googleusercontent.com/w
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr String found in binary or memory: https://mozilla.org0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48843878042.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.1.dr, MapiProxy.dll.1.dr, lang-1071.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1xOEjCOqIA-Yci9ED_I139gMqhvvo_S5Y HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/i92dnrd5psv5u8m6hlf298ad6a41tmpe/1653299175000/00136562880816484603/*/1xOEjCOqIA-Yci9ED_I139gMqhvvo_S5Y?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-as-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.168.14:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.33:443 -> 192.168.11.20:49761 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00405809
Uses 32bit PE files
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_00406D5F 1_2_00406D5F
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_6FE71BFF 1_2_6FE71BFF
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D05F4 1_2_032D05F4
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D20C9 1_2_032D20C9
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D7729 1_2_032D7729
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D5B08 1_2_032D5B08
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D577F 1_2_032D577F
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032E4744 1_2_032E4744
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D575E 1_2_032D575E
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D5BB5 1_2_032D5BB5
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D5BEB 1_2_032D5BEB
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D77DF 1_2_032D77DF
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D7603 1_2_032D7603
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D5A1B 1_2_032D5A1B
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D766C 1_2_032D766C
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032DB641 1_2_032DB641
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D765A 1_2_032D765A
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D56B9 1_2_032D56B9
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032E3A8F 1_2_032E3A8F
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032DAEE2 1_2_032DAEE2
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D76C4 1_2_032D76C4
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D06D1 1_2_032D06D1
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D753F 1_2_032D753F
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D6D1C 1_2_032D6D1C
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032E3567 1_2_032E3567
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D6D52 1_2_032D6D52
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D75B9 1_2_032D75B9
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D55EE 1_2_032D55EE
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D79E1 1_2_032D79E1
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D65E2 1_2_032D65E2
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D55C7 1_2_032D55C7
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D65C6 1_2_032D65C6
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D5811 1_2_032D5811
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D5C6F 1_2_032D5C6F
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D7449 1_2_032D7449
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D5857 1_2_032D5857
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D5CBC 1_2_032D5CBC
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D40B8 1_2_032D40B8
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D748F 1_2_032D748F
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D58E6 1_2_032D58E6
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D58D0 1_2_032D58D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 16_2_01CD04B0 16_2_01CD04B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 16_2_01CD0938 16_2_01CD0938
PE file does not import any functions
Source: Microsoft.Practices.ObjectBuilder2.dll.1.dr Static PE information: No import functions for PE file found
Source: lang-1071.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMapiProxy.dll8 vs 72EED30398363-0983BNDJ0398763536.exe
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Practices.ObjectBuilder2.dllT vs 72EED30398363-0983BNDJ0398763536.exe
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefzshellext.dllb! vs 72EED30398363-0983BNDJ0398763536.exe
PE file contains strange resources
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE file contains more sections than normal
Source: fzshellext_64.dll.1.dr Static PE information: Number of sections : 12 > 10
Source: 72EED30398363-0983BNDJ0398763536.exe Virustotal: Detection: 10%
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File read: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Jump to behavior
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe"
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe"
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe"
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe"
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4A7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe" Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe" Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe" Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4A7.tmp Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\nssBF1A.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@15/20@40/3
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_00404AB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:388:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{a79e3faa-9eab-4550-93e8-967a30a2a789}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:388:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FLOKDYRS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: 72EED30398363-0983BNDJ0398763536.exe Static file information: File size 1141532 > 1048576
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: MapiProxy.pdb source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr
Source: Binary string: MapiProxy.pdb@ source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.1.dr
Source: Binary string: f:\bluetooth8.0.1.57\sw\src\WIN8_Mainline\ExtArch\UI\Win7UI\Prism\ObjectBuilder\obj\x64\Release\Microsoft.Practices.ObjectBuilder2.pdb source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48846396085.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, Microsoft.Practices.ObjectBuilder2.dll.1.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000007.00000000.48608364005.0000000000B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.48848278548.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_6FE730C0 push eax; ret 1_2_6FE730EE
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D531F push 00000068h; iretd 1_2_032D5321
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D1B1E push edi; retf 1_2_032D1B21
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D4623 push ds; iretd 1_2_032D4653
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D260D push ss; ret 1_2_032D262C
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032DFE8D push 0000006Eh; retf 1_2_032DFEDC
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D51AD push ecx; ret 1_2_032D51AE
PE file contains sections with non-standard names
Source: MapiProxy.dll.1.dr Static PE information: section name: .00cfg
Source: MapiProxy.dll.1.dr Static PE information: section name: .orpc
Source: fzshellext_64.dll.1.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_6FE71BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_6FE71BFF
Drops PE files
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\fzshellext_64.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\lang-1071.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\Microsoft.Practices.ObjectBuilder2.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\nsfC5C3.tmp\System.dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4A7.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Amazonen4 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Amazonen4 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Amazonen4 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Amazonen4 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48845149326.000000000081E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0B
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48848522726.00000000033D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48845149326.000000000081E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48848522726.00000000033D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3544 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4176 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fzshellext_64.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lang-1071.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Microsoft.Practices.ObjectBuilder2.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D0510 rdtsc 1_2_032D0510
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 720 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 902 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: foregroundWindowGot 1456 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405D74
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_0040699E FindFirstFileW,FindClose, 1_2_0040699E
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48845149326.000000000081E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe0b
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000007.00000003.49065049837.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48848522726.00000000033D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48848522726.00000000033D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48845149326.000000000081E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000001.00000002.48849070438.0000000004F69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_6FE71BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_6FE71BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D0510 rdtsc 1_2_032D0510
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032E33F5 mov eax, dword ptr fs:[00000030h] 1_2_032E33F5
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032DB641 mov eax, dword ptr fs:[00000030h] 1_2_032DB641
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032DAEE2 mov eax, dword ptr fs:[00000030h] 1_2_032DAEE2
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D55C7 mov eax, dword ptr fs:[00000030h] 1_2_032D55C7
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032E3CC0 mov eax, dword ptr fs:[00000030h] 1_2_032E3CC0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_032D05F4 LdrInitializeThunk, 1_2_032D05F4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: B00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe" Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe" Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe" Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4A7.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 632155 Sample: 72EED30398363-0983BNDJ03987... Startdate: 23/05/2022 Architecture: WINDOWS Score: 96 46 googlehosted.l.googleusercontent.com 2->46 48 drive.google.com 2->48 50 doc-0c-as-docs.googleusercontent.com 2->50 64 Found malware configuration 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Sigma detected: NanoCore 2->68 70 3 other signatures 2->70 9 72EED30398363-0983BNDJ0398763536.exe 4 34 2->9         started        13 CasPol.exe 4 2->13         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\...\System.dll, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\lang-1071.dll, PE32 9->40 dropped 42 C:\Users\user\AppData\...\fzshellext_64.dll, PE32+ 9->42 dropped 44 2 other files (none is malicious) 9->44 dropped 72 Writes to foreign memory regions 9->72 74 Tries to detect Any.run 9->74 15 CasPol.exe 1 19 9->15         started        20 CasPol.exe 9->20         started        22 CasPol.exe 9->22         started        24 CasPol.exe 9->24         started        26 conhost.exe 13->26         started        signatures6 process7 dnsIp8 52 drive.google.com 172.217.168.14, 443, 49760 GOOGLEUS United States 15->52 54 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49761 GOOGLEUS United States 15->54 56 8476.hopto.org 91.193.75.131, 49762, 49765, 49770 DAVID_CRAIGGG Serbia 15->56 34 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->34 dropped 36 C:\Users\user\AppData\Local\...\tmpE4A7.tmp, XML 15->36 dropped 58 Tries to detect Any.run 15->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->60 28 schtasks.exe 1 15->28         started        30 conhost.exe 15->30         started        62 Uses schtasks.exe or at.exe to add and modify task schedules 20->62 file9 signatures10 process11 process12 32 conhost.exe 28->32         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.14
 drive.google.com United States
15169 GOOGLEUS false
172.217.168.33
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
91.193.75.131
 8476.hopto.org Serbia
209623 DAVID_CRAIGGG false

Contacted Domains

Name IP Active
drive.google.com 172.217.168.14 true
googlehosted.l.googleusercontent.com 172.217.168.33 true
8476.hopto.org 91.193.75.131 true
doc-0c-as-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-0c-as-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/i92dnrd5psv5u8m6hlf298ad6a41tmpe/1653299175000/00136562880816484603/*/1xOEjCOqIA-Yci9ED_I139gMqhvvo_S5Y?e=download false
    		high