Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe
Analysis ID:	635390
MD5:	77436b29832ded92b60491ea36018196
SHA1:	0314eca204964e3e189b0c0aed7f449e487dc98e
SHA256:	b19c8495104c354de9aa1b3403bff2d1211a89fe8892e866d2d8dfd7bb0ba5da
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Antivirus detection for URL or domain

Yara detected GuLoader

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Contains functionality to detect virtual machines (SLDT)

PE file contains more sections than normal

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.945527558.0000000002B00000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://donaldtrumpverse.com/kO4_tiMHM116.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Virustotal: Detection: 42%			Perma Link
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	ReversingLabs: Detection: 21%

Antivirus detection for URL or domain

Source: ftp://ftp.solucionest.com.ar/office

Avira URL Cloud: Label: malware

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20409678 CryptUnprotectData,		4_2_20409678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20409D60 CryptUnprotectData,		4_2_20409D60

Uses 32bit PE files

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.943873169.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://donaldtrumpverse.com/kO4_tiMHM116.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /kO4_tiMHM116.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: donaldtrumpverse.comCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9

Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ftp://ftp.solucionest.com.ar/office
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.997300925.000000001C411000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728626213.000000001D5D1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728362756.000000001D5A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42ScOTnxUv4XWwo.net
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000004.00000002.5703889334.0000000001267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://donaldtrumpverse.com/kO4_tiMHM116.bin
Source: CasPol.exe, 00000004.00000002.5703889334.0000000001267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://donaldtrumpverse.com/kO4_tiMHM116.bin2
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jGgoxh.com
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: CasPol.exe, 00000004.00000002.5728626213.000000001D5D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://pie-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/gun/com.hp.cdm.platform.software.domain.eventing.reso
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/originatorDetail.schema.json
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/sysInfoBase.schema.json
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://stage-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: donaldtrumpverse.com

Source: global traffic

HTTP traffic detected: GET /kO4_tiMHM116.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: donaldtrumpverse.comCache-Control: no-cache

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_71081BFF	0_2_71081BFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00EDC1E0	4_2_00EDC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00EDDAB0	4_2_00EDDAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00ED7B58	4_2_00ED7B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00EDF446	4_2_00EDF446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00ED37C8	4_2_00ED37C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D2DA160	4_2_1D2DA160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D2D9890	4_2_1D2D9890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D2D9548	4_2_1D2D9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203E2820	4_2_203E2820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203E2C60	4_2_203E2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203E8A50	4_2_203E8A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203EB698	4_2_203EB698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203ED7F1	4_2_203ED7F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203E79B0	4_2_203E79B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_2040F478	4_2_2040F478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_2040047B	4_2_2040047B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_2040E0E0	4_2_2040E0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20403080	4_2_20403080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20407290	4_2_20407290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20405EA8	4_2_20405EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_2040B8F8	4_2_2040B8F8

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.943873169.000000000040D000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

PE file contains strange resources

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE file contains more sections than normal

Source: libLerc.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libenchant-2.dll.0.dr	Static PE information: Number of sections : 12 > 10
Source: gspawn-win64-helper.exe.0.dr	Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Virustotal: Detection: 42%
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

0_2_0040352D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File created: C:\Users\user\AppData\Local\Temp\nst89F3.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/12@3/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: CDMDataEventHandler.dll.0.dr, Hp.CDMDataEventHandler/Sender/TelemetrySender.cs

Base64 encoded string: 'uWg5oksEUHoewK5WcwMNmfkglf2HF7AWQAGHYz0VfFMeg1YF2aEU/2OPoeETAl78'

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8892:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8892:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.943873169.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.945527558.0000000002B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.813096057.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_710830C0 push eax; ret		0_2_710830EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00ED849F push edi; retn 0000h		4_2_00ED84A1

PE file contains sections with non-standard names

Source: gspawn-win64-helper.exe.0.dr	Static PE information: section name: .xdata
Source: libLerc.dll.0.dr	Static PE information: section name: .xdata
Source: libenchant-2.dll.0.dr	Static PE information: section name: .xdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_71081BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_71081BFF

Binary contains a suspicious time stamp

Source: CDMDataEventHandler.dll.0.dr

Static PE information: 0x9C213F02 [Thu Jan 2 09:55:14 2053 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.90904492268

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\libenchant-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\libLerc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\nsy8A61.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944634357.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944895221.000000000087C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7576

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libenchant-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libLerc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9440

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 4_2_1D2D0C40 sldt word ptr [eax]

4_2_1D2D0C40

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	API call chain: ExitProcess graph end node

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000002.5704750244.000000000129C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5702999054.000000000122B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944634357.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944895221.000000000087C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_71081BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_71081BFF

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 4_2_203E6250 LdrInitializeThunk,

4_2_203E6250

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

0_2_0040352D

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8884, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8884, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8884, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.211.219.10	donaldtrumpverse.com	Seychelles		394695	PUBLIC-DOMAIN-REGISTRYUS	true

Contacted Domains

Name	IP	Active
dual-a-0001.a-msedge.net	13.107.21.200	true
e-0009.e-msedge.net	13.107.5.88	true
solucionest.com.ar	192.185.112.181	true
donaldtrumpverse.com	103.211.219.10	true
ftp.solucionest.com.ar	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://donaldtrumpverse.com/kO4_tiMHM116.bin	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.945527558.0000000002B00000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://donaldtrumpverse.com/kO4_tiMHM116.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Virustotal: Detection: 42%			Perma Link
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	ReversingLabs: Detection: 21%

Antivirus detection for URL or domain

Source: ftp://ftp.solucionest.com.ar/office

Avira URL Cloud: Label: malware

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20409678 CryptUnprotectData,		4_2_20409678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20409D60 CryptUnprotectData,		4_2_20409D60

Uses 32bit PE files

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.943873169.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://donaldtrumpverse.com/kO4_tiMHM116.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /kO4_tiMHM116.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: donaldtrumpverse.comCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9

Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ftp://ftp.solucionest.com.ar/office
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.997300925.000000001C411000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728626213.000000001D5D1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728362756.000000001D5A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42ScOTnxUv4XWwo.net
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000004.00000002.5703889334.0000000001267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://donaldtrumpverse.com/kO4_tiMHM116.bin
Source: CasPol.exe, 00000004.00000002.5703889334.0000000001267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://donaldtrumpverse.com/kO4_tiMHM116.bin2
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jGgoxh.com
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: CasPol.exe, 00000004.00000002.5728626213.000000001D5D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://pie-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/gun/com.hp.cdm.platform.software.domain.eventing.reso
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/originatorDetail.schema.json
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/sysInfoBase.schema.json
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://stage-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: donaldtrumpverse.com

Source: global traffic

HTTP traffic detected: GET /kO4_tiMHM116.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: donaldtrumpverse.comCache-Control: no-cache

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

0_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_71081BFF	0_2_71081BFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00EDC1E0	4_2_00EDC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00EDDAB0	4_2_00EDDAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00ED7B58	4_2_00ED7B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00EDF446	4_2_00EDF446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00ED37C8	4_2_00ED37C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D2DA160	4_2_1D2DA160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D2D9890	4_2_1D2D9890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D2D9548	4_2_1D2D9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203E2820	4_2_203E2820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203E2C60	4_2_203E2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203E8A50	4_2_203E8A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203EB698	4_2_203EB698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203ED7F1	4_2_203ED7F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_203E79B0	4_2_203E79B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_2040F478	4_2_2040F478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_2040047B	4_2_2040047B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_2040E0E0	4_2_2040E0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20403080	4_2_20403080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20407290	4_2_20407290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20405EA8	4_2_20405EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_2040B8F8	4_2_2040B8F8

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.943873169.000000000040D000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

PE file contains strange resources

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE file contains more sections than normal

Source: libLerc.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libenchant-2.dll.0.dr	Static PE information: Number of sections : 12 > 10
Source: gspawn-win64-helper.exe.0.dr	Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Virustotal: Detection: 42%
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

0_2_0040352D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File created: C:\Users\user\AppData\Local\Temp\nst89F3.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/12@3/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: CDMDataEventHandler.dll.0.dr, Hp.CDMDataEventHandler/Sender/TelemetrySender.cs

Base64 encoded string: 'uWg5oksEUHoewK5WcwMNmfkglf2HF7AWQAGHYz0VfFMeg1YF2aEU/2OPoeETAl78'

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8892:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8892:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.943873169.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.945527558.0000000002B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.813096057.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_710830C0 push eax; ret		0_2_710830EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_00ED849F push edi; retn 0000h		4_2_00ED84A1

PE file contains sections with non-standard names

Source: gspawn-win64-helper.exe.0.dr	Static PE information: section name: .xdata
Source: libLerc.dll.0.dr	Static PE information: section name: .xdata
Source: libenchant-2.dll.0.dr	Static PE information: section name: .xdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_71081BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_71081BFF

Binary contains a suspicious time stamp

Source: CDMDataEventHandler.dll.0.dr

Static PE information: 0x9C213F02 [Thu Jan 2 09:55:14 2053 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.90904492268

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\libenchant-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\libLerc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\nsy8A61.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944634357.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944895221.000000000087C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7576

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libenchant-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libLerc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9440

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 4_2_1D2D0C40 sldt word ptr [eax]

4_2_1D2D0C40

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	API call chain: ExitProcess graph end node

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000002.5704750244.000000000129C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5702999054.000000000122B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944634357.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944895221.000000000087C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_71081BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_71081BFF

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 4_2_203E6250 LdrInitializeThunk,

4_2_203E6250

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

0_2_0040352D

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8884, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8884, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8884, type: MEMORYSTR

ID:	635390
Product:	CloudBasic
Start time:	21:08:54
Start date:	27.05.2022
Sample:	SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	77436b29832ded92b60491ea36018196
SHA1:	0314eca204964e3e189b0c0aed7f449e487dc98e
SHA256:	b19c8495104c354de9aa1b3403bff2d1211a89fe8892e866d2d8dfd7bb0ba5da
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Auriculariae5.Reo2	data	B884606DE1CB711FA0FABBA8384FA60C	2ECD66DE4565AF1C7F8A7016BEAB49B7A7F1CDEA	246459B881CCE72B63AD541D0E8B29A3CB4A14ED193D08BDB68159A32F786539
C:\Users\user\AppData\Local\Temp\Bluetooth Suite help_ITA.chm	MS Windows HtmlHelp Data	27729CF331D3767DF077F52B262D88F3	EF4B6F74A0608B5A4DC6E3CA465A96137C1CAD74	CA601E57DD2C1E6E92145A8A19083599261B626A4D26B04D8C3FD5BDDDB2CB0D
C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	25F3ECFD195030F6B1BAD60E5EF97163	749B7E267CDBBC83783DFA4C7BF45134556C13D7	FCD740746D2B3E01945E6A099AB4CDD06ECE05818E25D08C5DDAFBD333B0DC84
C:\Users\user\AppData\Local\Temp\Forynget2.Mir	ASCII text, with very long lines, with no line terminators	B62B20F6B03B0C3A561EA7B0AEB0E812	72B3F32CE0DB4909D7CF0C4385718188C61CA2C6	12C49D1622818D8454A1E4BB2EFBF21459CCE0C284A31D53E775B0B24EC849CF
C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	8154B723020AEE70829FFC138C9D1C4C	6F7AF3827B37845F071625458DF1DB8BA9056FD6	902F9D2A239CCAEBA677DB5838654FB6CE7CF3D21243B8EF122E9D970714B0D3
C:\Users\user\AppData\Local\Temp\libLerc.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	58BFEB91921D4882F7EDABAB9C0C1C17	596DB0512A25089EF7CDE48CA3393E4F6878FF90	5C9DB6D64BAF0250735368825CEC3032EC39999F266125D132157ECC0403EE12
C:\Users\user\AppData\Local\Temp\libenchant-2.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	6A9928C42EB4375CCEF3A025F3535795	395703F4970B42F55C2BCB2B8CF3F0D12E192CEB	CAA457EF4BD84476790D215FFFF048DEB162CABC14DB3FF679795CCEA8972411
C:\Users\user\AppData\Local\Temp\msvcr100.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0E37FBFA79D349D672456923EC5FBBE3	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
C:\Users\user\AppData\Local\Temp\nsy8A61.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\system-shutdown.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	84D033B14C06568FA57352CCF18D8D35	1D75B42F61842E8B0FA8D811DAC72B313CDDCA74	3989B93626DC3ED6EF03430AD0B1FF5C6E358DAC76E34ED7C8086579B68E660F
C:\Users\user\AppData\Local\Temp\zoom-out-symbolic.svg	SVG Scalable Vector Graphics image	C05C42CB3D95BF3BC7F49CCD8DCCA510	20442E344E95508586B1B2A7B4C6272C3F5C86F8	695554CE5F23A275D3C25C27410D0CFBF8A83156807DAA3A601635E4E5D8AED0
\Device\ConDrv	ASCII text, with CRLF line terminators	9F754B47B351EF0FC32527B541420595	006C66220B33E98C725B73495FE97B3291CE14D9	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe