Windows Analysis Report
6culQoI97a.exe

Overview

General Information

Sample Name: 6culQoI97a.exe
Analysis ID: 755473
MD5: d9aa122b8c39444799e60eabbab69502
SHA1: 0175baf7a240c2050571a6df273a892e8b192d81
SHA256: 317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: 6culQoI97a.exe ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe Virustotal: Detection: 56% Perma Link
Source: ftp://ftp.gettoner.com.mx/droid Avira URL Cloud: Label: malware
Source: http://195.178.120.24/mhpgXW188.chm Avira URL Cloud: Label: malware
Source: 6culQoI97a.exe.9084.2.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.gettoner.com.mx/droid@gettoner.com.mxfedxunited543@"}
Source: 6culQoI97a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 6culQoI97a.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_00406448 FindFirstFileA,FindClose, 2_2_00406448
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 2_2_0040589C
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_004027A1 FindFirstFileA, 2_2_004027A1
Source: Joe Sandbox View IP Address: 195.178.120.24 195.178.120.24
Source: global traffic HTTP traffic detected: GET /mhpgXW188.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.178.120.24Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://ftp.gettoner.com.mx/droid
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000009.00000002.5786454694.0000000001396000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.178.120.24/mhpgXW188.chm
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://NwSpLV.com
Source: 6culQoI97a.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 6culQoI97a.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: global traffic HTTP traffic detected: GET /mhpgXW188.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.178.120.24Cache-Control: no-cache
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_00405339

System Summary

barindex
Source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6culQoI97a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403325
Source: C:\Users\user\Desktop\6culQoI97a.exe File created: C:\Windows\resources\0409 Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_73DD1A98 2_2_73DD1A98
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EDEC82 2_2_02EDEC82
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE02EE 2_2_02EE02EE
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC76FF 2_2_02EC76FF
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB2CF 2_2_02ECB2CF
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC72DB 2_2_02EC72DB
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC76BA 2_2_02EC76BA
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECBE84 2_2_02ECBE84
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC6E7B 2_2_02EC6E7B
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC824F 2_2_02EC824F
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC6E46 2_2_02EC6E46
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EDEE46 2_2_02EDEE46
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC6E47 2_2_02EC6E47
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECBA0D 2_2_02ECBA0D
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB3F8 2_2_02ECB3F8
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB7CA 2_2_02ECB7CA
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC73A9 2_2_02EC73A9
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC6FA3 2_2_02EC6FA3
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC73BD 2_2_02EC73BD
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE3FBA 2_2_02EE3FBA
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE137C 2_2_02EE137C
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE0B71 2_2_02EE0B71
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC8B4B 2_2_02EC8B4B
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE433C 2_2_02EE433C
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB4E3 2_2_02ECB4E3
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC70C8 2_2_02EC70C8
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC88D9 2_2_02EC88D9
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC8841 2_2_02EC8841
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ED2824 2_2_02ED2824
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC7801 2_2_02EC7801
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC35EB 2_2_02EC35EB
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC71EB 2_2_02EC71EB
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC89FD 2_2_02EC89FD
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC85F3 2_2_02EC85F3
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECA9A0 2_2_02ECA9A0
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB1B5 2_2_02ECB1B5
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC359E 2_2_02EC359E
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE0997 2_2_02EE0997
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB17E 2_2_02ECB17E
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE1D76 2_2_02EE1D76
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECBD71 2_2_02ECBD71
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECBD09 2_2_02ECBD09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_011DDD83 9_2_011DDD83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_011DE1D0 9_2_011DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_011DB025 9_2_011DB025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_011D83E0 9_2_011D83E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_011D4928 9_2_011D4928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_011DA0D0 9_2_011DA0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_011D1BD8 9_2_011D1BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_0124C510 9_2_0124C510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_01244168 9_2_01244168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_012455E8 9_2_012455E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_0124D8F8 9_2_0124D8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_01246790 9_2_01246790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_012496F0 9_2_012496F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_01243179 9_2_01243179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_012425E8 9_2_012425E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_012437B0 9_2_012437B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1D445D08 9_2_1D445D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1D444EF0 9_2_1D444EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1D4469D0 9_2_1D4469D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1D444374 9_2_1D444374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1D445C41 9_2_1D445C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1D4469F1 9_2_1D4469F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1F88BE70 9_2_1F88BE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1F884320 9_2_1F884320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1F88B110 9_2_1F88B110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1F881130 9_2_1F881130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1F883708 9_2_1F883708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1F883A50 9_2_1F883A50
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE3AF0 NtQueryInformationProcess, 2_2_02EE3AF0
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE2B7C NtProtectVirtualMemory, 2_2_02EE2B7C
Source: C:\Users\user\Desktop\6culQoI97a.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: 6culQoI97a.exe ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe Virustotal: Detection: 56%
Source: C:\Users\user\Desktop\6culQoI97a.exe File read: C:\Users\user\Desktop\6culQoI97a.exe Jump to behavior
Source: 6culQoI97a.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6culQoI97a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\6culQoI97a.exe C:\Users\user\Desktop\6culQoI97a.exe
Source: C:\Users\user\Desktop\6culQoI97a.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\6culQoI97a.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6culQoI97a.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\6culQoI97a.exe Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\6culQoI97a.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe File created: C:\Users\user\AppData\Local\Temp\nskC4E.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/4@0/1
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_0040216B CoCreateInstance,MultiByteToWideChar, 2_2_0040216B
Source: C:\Users\user\Desktop\6culQoI97a.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 2_2_004045EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2776:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2776:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 6culQoI97a.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: 00000009.00000000.972511906.0000000000FB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1204047985.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_73DD2F60 push eax; ret 2_2_73DD2F8E
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC514F push edi; ret 2_2_02EC51B9
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC9AEB pushad ; retf 2_2_02EC9AEF
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC56C8 push ds; ret 2_2_02EC5766
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC3ACA push esp; iretd 2_2_02EC3B4F
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECC658 push cs; ret 2_2_02ECC673
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC4BE4 push 6B8BC5CBh; retf 2_2_02EC4BFE
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC3FB0 push ss; ret 2_2_02EC3FB4
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC537B push edi; ret 2_2_02EC51B9
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC24CD push esp; ret 2_2_02EC24D7
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC145C pushad ; ret 2_2_02EC1460
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC517A push edi; ret 2_2_02EC51B9
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC4D44 push ebx; retf 2_2_02EC4D45
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECC13C pushfd ; retn BE8Dh 2_2_02ECC247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_0124142F push edi; retn 0000h 9_2_01241431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1D444C51 push ds; ret 9_2_1D444C7F
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_73DD1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 2_2_73DD1A98
Source: C:\Users\user\Desktop\6culQoI97a.exe File created: C:\Users\user\AppData\Local\Temp\nspCBC.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\6culQoI97a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\6culQoI97a.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: 6culQoI97a.exe, 00000002.00000002.1203249010.0000000000A28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEPGZ
Source: 6culQoI97a.exe, 00000002.00000002.1203507076.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6664 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6664 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8632 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC81AD rdtsc 2_2_02EC81AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9871 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_00406448 FindFirstFileA,FindClose, 2_2_00406448
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 2_2_0040589C
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_004027A1 FindFirstFileA, 2_2_004027A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\6culQoI97a.exe API call chain: ExitProcess graph end node
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000009.00000002.5787444252.00000000013C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000009.00000002.5785252784.000000000135B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: 6culQoI97a.exe, 00000002.00000002.1203249010.0000000000A28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exepGz
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: 6culQoI97a.exe, 00000002.00000002.1203507076.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: 6culQoI97a.exe, 00000002.00000002.1204307572.0000000003049000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_73DD1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 2_2_73DD1A98
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC81AD rdtsc 2_2_02EC81AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC6E46 mov eax, dword ptr fs:[00000030h] 2_2_02EC6E46
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EC6E47 mov eax, dword ptr fs:[00000030h] 2_2_02EC6E47
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECBA0D mov ebx, dword ptr fs:[00000030h] 2_2_02ECBA0D
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECBA0D mov eax, dword ptr fs:[00000030h] 2_2_02ECBA0D
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECBBF7 mov eax, dword ptr fs:[00000030h] 2_2_02ECBBF7
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB7CA mov eax, dword ptr fs:[00000030h] 2_2_02ECB7CA
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECA44C mov eax, dword ptr fs:[00000030h] 2_2_02ECA44C
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB84D mov eax, dword ptr fs:[00000030h] 2_2_02ECB84D
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB80E mov eax, dword ptr fs:[00000030h] 2_2_02ECB80E
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EDFDE9 mov eax, dword ptr fs:[00000030h] 2_2_02EDFDE9
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB960 mov eax, dword ptr fs:[00000030h] 2_2_02ECB960
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECB17E mov eax, dword ptr fs:[00000030h] 2_2_02ECB17E
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EE1D76 mov eax, dword ptr fs:[00000030h] 2_2_02EE1D76
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02ECC936 mov eax, dword ptr fs:[00000030h] 2_2_02ECC936
Source: C:\Users\user\Desktop\6culQoI97a.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_02EDFE03 LdrLoadDll, 2_2_02EDFE03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\6culQoI97a.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: FB0000 Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\6culQoI97a.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 2_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403325

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: Yara match File source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2424, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs