Windows Analysis Report
SCAN Swift 054545676700000000000000001.exe

Overview

General Information

Sample Name: SCAN Swift 054545676700000000000000001.exe
Analysis ID: 634468
MD5: c5cc0d82dd8e1cf55d7fd3b5c067752b
SHA1: cdbb4ff532aefa60d63feb5d0717f28c776ef9ed
SHA256: 3e02a6175b6567980d495bc4323d36c137fdc86f80b01a1b0da1d85d105221be
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.140230062541.0000000002A80000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://donaldtrumpverse.com/HUMBLE%202022_esIXilivcW48.bin"}
Source: CasPol.exe.7852.5.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "humhum@nutiribio.comzGNVO(l5smtp.nutiribio.com"}
Multi AV Scanner detection for submitted file
Source: SCAN Swift 054545676700000000000000001.exe Virustotal: Detection: 13% Perma Link
Source: SCAN Swift 054545676700000000000000001.exe ReversingLabs: Detection: 12%
Uses 32bit PE files
Source: SCAN Swift 054545676700000000000000001.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: SCAN Swift 054545676700000000000000001.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msvcr100.i386.pdb source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140228089654.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.2.dr
Source: Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.2.dr
Source: Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.2.dr
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405C49
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_00406873 FindFirstFileW,FindClose, 2_2_00406873
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_0040290B FindFirstFileW, 2_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://donaldtrumpverse.com/HUMBLE%202022_esIXilivcW48.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /HUMBLE%202022_esIXilivcW48.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: donaldtrumpverse.comCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000006.00000002.145017469674.000000001DC5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://MBStZn.com
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000006.00000002.144993825927.00000000017E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://donaldtrumpverse.com/HUMBLE%202022_esIXilivcW48.binG
Source: CasPol.exe, 00000006.00000002.144993825927.00000000017E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://donaldtrumpverse.com/HUMBLE%202022_esIXilivcW48.binH
Source: SCAN Swift 054545676700000000000000001.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: CasPol.exe, 00000006.00000002.145016899977.000000001DBEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%H
Source: CasPol.exe, 00000006.00000002.145018212709.000000001DCF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000006.00000002.145018212709.000000001DCF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000006.00000002.145018212709.000000001DCF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000006.00000002.145018212709.000000001DCF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/$
Source: CasPol.exe, 00000006.00000002.145018212709.000000001DCF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: https://pie-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/gun/com.hp.cdm.platform.software.domain.eventing.reso
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/originatorDetail.schema.json
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/sysInfoBase.schema.json
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: https://stage-us1.api.ws-hp.com/clienttelemetry
Source: CasPol.exe, 00000006.00000002.145018212709.000000001DCF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: https://us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: donaldtrumpverse.com
Source: global traffic HTTP traffic detected: GET /HUMBLE%202022_esIXilivcW48.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: donaldtrumpverse.comCache-Control: no-cache
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_004056DE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 9180, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Uses 32bit PE files
Source: SCAN Swift 054545676700000000000000001.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: CasPol.exe PID: 9180, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_0040755C 2_2_0040755C
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_00406D85 2_2_00406D85
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_6F421BFF 2_2_6F421BFF
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A91B90 2_2_02A91B90
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A920AA 2_2_02A920AA
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A902A3 2_2_02A902A3
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A914B1 2_2_02A914B1
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A874B3 2_2_02A874B3
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A87AB6 2_2_02A87AB6
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A86283 2_2_02A86283
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A8289F 2_2_02A8289F
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A92AEF 2_2_02A92AEF
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A866E7 2_2_02A866E7
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A8AAFF 2_2_02A8AAFF
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A874FF 2_2_02A874FF
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A866F4 2_2_02A866F4
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A87CD3 2_2_02A87CD3
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A87C0F 2_2_02A87C0F
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A86A59 2_2_02A86A59
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A8665B 2_2_02A8665B
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A911B8 2_2_02A911B8
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A863F7 2_2_02A863F7
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A865C3 2_2_02A865C3
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A861DF 2_2_02A861DF
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A86333 2_2_02A86333
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A8670B 2_2_02A8670B
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A8616E 2_2_02A8616E
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A87B43 2_2_02A87B43
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A87D5F 2_2_02A87D5F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_01947748 6_2_01947748
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_019456E0 6_2_019456E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_01948EE0 6_2_01948EE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_01947110 6_2_01947110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1DAFE3B8 6_2_1DAFE3B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1DAFB7B6 6_2_1DAFB7B6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1DAF6978 6_2_1DAF6978
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1DAF7970 6_2_1DAF7970
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1DAF70D0 6_2_1DAF70D0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A938D9 NtProtectVirtualMemory, 2_2_02A938D9
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A93E4B NtResumeThread, 2_2_02A93E4B
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A91B90 LoadLibraryA,NtAllocateVirtualMemory, 2_2_02A91B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1D8DB0BA NtQuerySystemInformation, 6_2_1D8DB0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1D8DB089 NtQuerySystemInformation, 6_2_1D8DB089
Sample file is different than original file name gathered from version info
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140228089654.000000000040D000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs SCAN Swift 054545676700000000000000001.exe
PE file contains strange resources
Source: SCAN Swift 054545676700000000000000001.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE file contains more sections than normal
Source: libLerc.dll.2.dr Static PE information: Number of sections : 11 > 10
Source: libenchant-2.dll.2.dr Static PE information: Number of sections : 12 > 10
Source: gspawn-win64-helper.exe.2.dr Static PE information: Number of sections : 11 > 10
Source: SCAN Swift 054545676700000000000000001.exe Virustotal: Detection: 13%
Source: SCAN Swift 054545676700000000000000001.exe ReversingLabs: Detection: 12%
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File read: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Jump to behavior
Source: SCAN Swift 054545676700000000000000001.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe"
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe"
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe"
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe" Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe" Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe" Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040352D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1D8DAF3E AdjustTokenPrivileges, 6_2_1D8DAF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_1D8DAF07 AdjustTokenPrivileges, 6_2_1D8DAF07
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File created: C:\Users\user\AppData\Local\Temp\nsu145A.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/12@1/1
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_004021AA CoCreateInstance, 2_2_004021AA
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 2_2_0040498A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: CDMDataEventHandler.dll.2.dr, Hp.CDMDataEventHandler/Sender/TelemetrySender.cs Base64 encoded string: 'uWg5oksEUHoewK5WcwMNmfkglf2HF7AWQAGHYz0VfFMeg1YF2aEU/2OPoeETAl78'
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4120:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4120:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: SCAN Swift 054545676700000000000000001.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msvcr100.i386.pdb source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140228089654.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.2.dr
Source: Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.2.dr
Source: Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.2.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.140230062541.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.140089877023.0000000001400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_6F4230C0 push eax; ret 2_2_6F4230EE
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A846AD push ebx; ret 2_2_02A846C9
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A85CBD push edx; retf 6F31h 2_2_02A85CAB
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A856FD push ebx; ret 2_2_02A85715
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A880D3 push eax; iretd 2_2_02A880EA
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A8540B push esi; ret 2_2_02A85467
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A84A41 push ebx; iretd 2_2_02A84A4D
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A88052 push B1EDE3B4h; iretd 2_2_02A8807A
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A853B0 push esi; ret 2_2_02A85467
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A82FD2 push esi; retn 7342h 2_2_02A83076
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_01412616 pushad ; ret 6_2_01412628
PE file contains sections with non-standard names
Source: gspawn-win64-helper.exe.2.dr Static PE information: section name: .xdata
Source: libLerc.dll.2.dr Static PE information: section name: .xdata
Source: libenchant-2.dll.2.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_6F421BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_6F421BFF
Binary contains a suspicious time stamp
Source: CDMDataEventHandler.dll.2.dr Static PE information: 0x9C213F02 [Thu Jan 2 09:55:14 2053 UTC]
Source: initial sample Static PE information: section name: .text entropy: 6.90904492268
Drops PE files
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File created: C:\Users\user\AppData\Local\Temp\libenchant-2.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File created: C:\Users\user\AppData\Local\Temp\libLerc.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File created: C:\Users\user\AppData\Local\Temp\msvcr100.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File created: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File created: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File created: C:\Users\user\AppData\Local\Temp\nsk14B9.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230293297.0000000002B81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230293297.0000000002B81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Function Chain: memAlloc,processSet,systemQueried,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,keyOpened,keyEnumerated,keyEnumerated
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Function Chain: threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,keyOpened,keyEnumerated,keyEnumerated,keyOpened,keyValueQueried,keyValueQueried,keyValueQueried,keyValueQueried
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 368 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 368 Thread sleep time: -98130000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libenchant-2.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libLerc.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr100.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A873BF rdtsc 2_2_02A873BF
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 3271 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405C49
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_00406873 FindFirstFileW,FindClose, 2_2_00406873
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_0040290B FindFirstFileW, 2_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe API call chain: ExitProcess graph end node
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230690466.0000000004719000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230690466.0000000004719000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230690466.0000000004719000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230690466.0000000004719000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230690466.0000000004719000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000006.00000002.144994156938.0000000001812000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000006.00000002.144993439822.00000000017AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: CasPol.exe, 00000006.00000002.144994156938.0000000001812000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP>
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230293297.0000000002B81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230690466.0000000004719000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230690466.0000000004719000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230690466.0000000004719000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000006.00000002.144995100093.0000000003289000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: SCAN Swift 054545676700000000000000001.exe, 00000002.00000002.140230293297.0000000002B81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_6F421BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_6F421BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A873BF rdtsc 2_2_02A873BF
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A92AEF mov eax, dword ptr fs:[00000030h] 2_2_02A92AEF
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A8AAFF mov eax, dword ptr fs:[00000030h] 2_2_02A8AAFF
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A916CF mov eax, dword ptr fs:[00000030h] 2_2_02A916CF
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A8616E mov eax, dword ptr fs:[00000030h] 2_2_02A8616E
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_02A90F40 mov eax, dword ptr fs:[00000030h] 2_2_02A90F40
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 6_2_01949FB0 LdrInitializeThunk, 6_2_01949FB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: 1400000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe" Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe" Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SCAN Swift 054545676700000000000000001.exe Code function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040352D

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.145016899977.000000001DBEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 9180, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 9180, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.145016899977.000000001DBEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.145015907365.000000001DB21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 9180, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 634468 Sample: SCAN Swift 0545456767000000... Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 30 donaldtrumpverse.com 2->30 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 8 SCAN Swift 054545676700000000000000001.exe 4 273 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\Local\...\System.dll, PE32 8->22 dropped 24 C:\Users\user\AppData\Local\...\msvcr100.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\...\libenchant-2.dll, PE32+ 8->26 dropped 28 3 other files (none is malicious) 8->28 dropped 42 Writes to foreign memory regions 8->42 44 Tries to detect Any.run 8->44 12 CasPol.exe 11 8->12         started        16 CasPol.exe 8->16         started        18 CasPol.exe 8->18         started        signatures6 process7 dnsIp8 32 donaldtrumpverse.com 103.211.219.10, 49760, 80 PUBLIC-DOMAIN-REGISTRYUS Seychelles 12->32 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Tries to harvest and steal browser information (history, passwords, etc) 12->48 50 Tries to detect Any.run 12->50 20 conhost.exe 12->20         started        52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->54 56 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 16->56 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.211.219.10
 donaldtrumpverse.com Seychelles
394695 PUBLIC-DOMAIN-REGISTRYUS true

Contacted Domains

Name IP Active
donaldtrumpverse.com 103.211.219.10 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://donaldtrumpverse.com/HUMBLE%202022_esIXilivcW48.bin true
  • Avira URL Cloud: safe
 unknown