Loading ...

Analysis Report TkAngEQurH.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:763719
Start date:18.01.2019
Start time:15:22:17
Joe Sandbox Product:Cloud
Overall analysis duration:0h 8m 4s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:TkAngEQurH.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@4/6@7/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 81%
  • Number of executed functions: 92
  • Number of non-executed functions: 238
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe, WmiApSrv.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: RegAsm.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsGraphical User Interface1Bootkit1Startup Items2Software Packing2Input Capture11Process Discovery3Application Deployment SoftwareInput Capture11Data Encrypted1Uncommonly Used Port1
Replication Through Removable MediaService ExecutionStartup Items2Process Injection111Disabling Security Tools1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection111Input CaptureSecurity Software Discovery5111Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Network Configuration Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery34Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exevirustotal: Detection: 46%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: TkAngEQurH.exevirustotal: Detection: 46%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 2.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.RegAsm.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 2.2.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00464696
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,4_2_00464696

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then jmp 003977E5h4_2_00397585
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then push dword ptr [ebp+14h]4_2_0039E0BE
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then push dword ptr [ebp+14h]4_2_0039E138
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then jmp 003901E4h4_2_00390136
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov ecx, 0000003Ch4_2_0039D10A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then lea eax, dword ptr [ebp-64h]4_2_0039D10A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov ecx, 00000005h4_2_0039D10A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]4_2_00391177
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov ecx, 00000005h4_2_0039D217
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then push dword ptr [ebp+1Ch]4_2_00391247
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then jmp 00390327h4_2_00390282
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then add edi, 04h4_2_00389404
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then add edi, 04h4_2_00389474
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edi, eax4_2_003914ED
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edi, eax4_2_0039155D
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then inc dword ptr [ebp-04h]4_2_0039D542
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edi, eax4_2_003915E0
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edi, eax4_2_0039164D
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp al, 7Ah4_2_0039F79F
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then sub al, 20h4_2_0039F79F
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then push 00008000h4_2_00391856
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov ebx, dword ptr [edx+000000ECh]4_2_0039F97C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp eax, dword ptr [edx+0111C55Ch]4_2_00389D77
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp eax, dword ptr [edx+0111C544h]4_2_00389D77
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp eax, 7Ah4_2_00399D5C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then sub eax, 20h4_2_00399D5C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp eax, 7Ah4_2_00399D5C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then sub eax, 20h4_2_00399D5C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then add edi, 04h4_2_00388DE2
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov eax, dword ptr [ebp-08h]4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp edx, dword ptr [esi+00001092h]4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then cmp ecx, dword ptr [esi+00001082h]4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov eax, esi4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]4_2_00390E02
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then jmp 0038FFE9h4_2_0038FF33
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov eax, dword ptr [ebp-08h]4_2_00390F40
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]4_2_00390F40

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49223 -> 144.76.215.120:9003
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: www.iptrackeronline.com
Source: unknownDNS query: name: www.iptrackeronline.com
Source: unknownDNS query: name: www.iptrackeronline.com
Source: unknownDNS query: name: www.iptrackeronline.com
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 45.55.57.244 45.55.57.244
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49225 -> 45.55.57.244:443
Found strings which match to known social media urlsShow sources
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: '//connect.facebook.net/en_US/all.js'; equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: <!-- Facebook SDK --> equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000002.00000002.1878729924.0052D000.00000004.sdmpString found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doddyfire.dyndns.org
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0O
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000002.00000002.1878749571.0055B000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b37fe583ce910
Source: RegAsm.exe, 00000002.00000002.1878749571.0055B000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eno
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmpString found in binary or memory: http://goo.gl/YroZm&quot;
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TkAngEQurH.exeString found in binary or memory: http://www.autoitscript.com/autoit3/R
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://apis.google.com/js/platform.js
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpString found in binary or memory: https://randomuser.me/api/
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://rec.smartlook.com/recorder.js
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmpString found in binary or memory: https://stamen-maps.a.ssl.fastly.net/js/tile.stamen.js
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://unpkg.com/leaflet
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1879900052.01C9E000.00000004.sdmpString found in binary or memory: https://www.connecticallc.com/
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com/
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com/favicon.ico
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com/images/ipt-fb-logo.png
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com?ip_address=
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmpString found in binary or memory: https://www.iptrackeronline.com?ip_address=185.32.222.17
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00402344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00402344

System Summary:

barindex
Binary is likely a compiled AutoIt script fileShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B4C
Source: TkAngEQurH.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: TkAngEQurH.exe, 00000000.00000002.1829962092.00401000.00000040.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: This is a third-party compiled AutoIt script.4_2_00403B4C
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: This is a third-party compiled AutoIt script.4_1_00403B4C
Source: TkAngEQurH.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
PE file has nameless sectionsShow sources
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038C6D8: CreateFileA,DeviceIoControl,4_2_0038C6D8
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\2\BaseNamedObjects\bf0531fb-fa28-49ea-81c4-428bcbe79ca8
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004233C70_2_004233C7
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0040E8000_2_0040E800
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0040FE400_2_0040FE40
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0048804A0_2_0048804A
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0040E0600_2_0040E060
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004370060_2_00437006
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0041710E0_2_0041710E
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004131900_2_00413190
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004012870_2_00401287
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004224050_2_00422405
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042F4190_2_0042F419
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004365220_2_00436522
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004216C40_2_004216C4
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004168430_2_00416843
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042283A0_2_0042283A
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004278D30_2_004278D3
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004389DF0_2_004389DF
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004233C74_2_004233C7
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0040E8004_2_0040E800
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0048804A4_2_0048804A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0040E0604_2_0040E060
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004370064_2_00437006
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0041710E4_2_0041710E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004131904_2_00413190
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004224054_2_00422405
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042F4194_2_0042F419
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004365224_2_00436522
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004216C44_2_004216C4
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004168434_2_00416843
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042283A4_2_0042283A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004278D34_2_004278D3
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0040192B4_2_0040192B
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004389DF4_2_004389DF
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00418A0E4_2_00418A0E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00436A944_2_00436A94
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042DBB54_2_0042DBB5
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00421BB84_2_00421BB8
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042CD614_2_0042CD61
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0040FE404_2_0040FE40
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00421FD04_2_00421FD0
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042BFE64_2_0042BFE6
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003840174_2_00384017
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003812524_2_00381252
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003853894_2_00385389
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0039C4D04_2_0039C4D0
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003844CA4_2_003844CA
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038456E4_2_0038456E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0039C5534_2_0039C553
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038A54E4_2_0038A54E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038560B4_2_0038560B
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0039C6D94_2_0039C6D9
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038571F4_2_0038571F
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038177E4_2_0038177E
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038192D4_2_0038192D
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00383FE34_2_00383FE3
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_004233C74_1_004233C7
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_0040E8004_1_0040E800
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_0048804A4_1_0048804A
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_0040E0604_1_0040E060
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_004370064_1_00437006
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: String function: 00428B40 appears 44 times
PE file contains strange resourcesShow sources
Source: TkAngEQurH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TkAngEQurH.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: TkAngEQurH.exe, 00000000.00000003.1582807733.003D0000.00000004.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs TkAngEQurH.exe
Source: TkAngEQurH.exe, 00000000.00000003.1823823585.00CA0000.00000004.sdmpBinary or memory string: OriginalFilenameRegAsm.exeT vs TkAngEQurH.exe
Source: TkAngEQurH.exe, 00000000.00000002.1865310057.01A50000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs TkAngEQurH.exe
Source: TkAngEQurH.exe, 00000004.00000003.1839430209.003D0000.00000004.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs TkAngEQurH.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile read: C:\Users\user\Desktop\TkAngEQurH.exeJump to behavior
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: TkAngEQurH.exeStatic PE information: Section: ZLIB complexity 0.999357486321
Source: TkAngEQurH.exe.0.drStatic PE information: Section: ZLIB complexity 0.999357486321
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@4/6@7/2
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0046A2D5 GetLastError,FormatMessageW,0_2_0046A2D5
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00463E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,4_2_00463E91
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00404FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404FE9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnkJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: TkAngEQurH.exevirustotal: Detection: 46%
Sample might require command line arguments (.Net)Show sources
Source: TkAngEQurH.exeString found in binary or memory: #comments-start
Source: TkAngEQurH.exeString found in binary or memory: #comments-start
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\TkAngEQurH.exe 'C:\Users\user\Desktop\TkAngEQurH.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\TkAngEQurH.exe 'C:\Users\user\AppData\Roaming\TkAngEQurH.exe'
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Reads the Windows registered owner settingsShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: TkAngEQurH.exeStatic file information: File size 1277968 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\Shockwave\Documents\Visual Studio 2012\Projects\LZLoader\LZLoader\obj\Debug\LZLoader.pdb source: RegAsm.exe, 00000002.00000002.1878556900.003C0000.00000004.sdmp
Source: Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video\obj\Release\AForge.Video.pdb source: RegAsm.exe, 00000002.00000002.1878556900.003C0000.00000004.sdmp
Source: Binary string: G:\Files\Imminent Methods\Code\Main Project\Imminent Monitor\ClientPlugin\obj\Release\ClientPlugin.pdb source: RegAsm.exe, 00000002.00000002.1879335945.009A0000.00000004.sdmp
Source: Binary string: c:\Users\Shockwave\Desktop\New folder (2)\SevenZip\Compress\LzmaAlone\obj\Debug\Lzma.pdb source: RegAsm.exe, 00000002.00000002.1878537804.003A0000.00000004.sdmp
Source: Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video.DirectShow\obj\Release\AForge.Video.DirectShow.pdb source: RegAsm.exe, 00000002.00000002.1878888801.007A0000.00000004.sdmp
Source: Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video.DirectShow\obj\Release\AForge.Video.DirectShow.pdb| source: RegAsm.exe, 00000002.00000002.1878888801.007A0000.00000004.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeUnpacked PE file: 0.2.TkAngEQurH.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeUnpacked PE file: 4.2.TkAngEQurH.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0047C304 LoadLibraryA,GetProcAddress,0_2_0047C304
PE file contains sections with non-standard namesShow sources
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exeStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Source: TkAngEQurH.exe.0.drStatic PE information: section name:
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004143CB push edi; ret 0_2_004143CD
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004143B7 push edi; ret 0_2_004143B9
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004143CB push edi; ret 4_2_004143CD
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004143B7 push edi; ret 4_2_004143B9
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00428B85 push ecx; ret 4_2_00428B98
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003808D9 push es; ret 4_2_003808DA
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: entropy: 7.99656260563
Source: initial sampleStatic PE information: section name: entropy: 7.99656260563

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, @\\.\PhysicalDrive4_2_0038C787
Drops PE filesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile created: C:\Users\user\AppData\Roaming\TkAngEQurH.exeJump to dropped file

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, PhysicalDrive4_2_0038C787
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: CreateFileA,DeviceIoControl, @\\.\PhysicalDrive4_2_0038C787
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnkJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_00404A35
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004233C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004233C7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeSystem information queried: FirmwareTableInformationJump to behavior
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeFile opened / queried: VBoxGuestJump to behavior
Contains functionality to detect virtual machines (SGDT)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038C4DB sgdt fword ptr [ecx]4_2_0038C4DB
Contains functionality to detect virtual machines (SIDT)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0038C4B6 sidt fword ptr [ecx]4_2_0038C4B6
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeWindow / User API: threadDelayed 5781Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 508Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeAPI coverage: 7.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exe TID: 356Thread sleep count: 5781 > 30Jump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exe TID: 356Thread sleep time: -57810s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3516Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 460Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1888Thread sleep time: -440000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2484Thread sleep time: -960000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2484Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1888Thread sleep time: -55000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 460Thread sleep time: -30000s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeFile opened: PhysicalDrive0Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00464696
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,4_2_00464696
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00404AFE GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00404AFE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: RegAsm.exe, 00000002.00000003.1825542117.02B96000.00000004.sdmpBinary or memory string: HGFSC
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmpBinary or memory string: RAYPmwfiECditheEZjWoKttlJKdtobYlubZOjvvwseYIAdEfYvZFsZsyfSIbxJNtufNdawEgMgKnsIPgrZjcsdiniwjAwlZPtHbGdhuJoAdPNdPNXBBZgBrqHBEcUOSaMZkqEJHERnoyxbXYdscsNqDkfqWTiBfUWGRYotfPURlHnxCnyfwFOKFAhhhNXXOZzphXUpatmjappMNseVDLogBSiQBXLQEpeIaojvyaLBMNKvDzFfsSpHGZqyGxSbBkxYqWerrttUTCyEdoaaiVkdkZZBSUZfXpfYBAGCxObBkwAYLLeVnVVIMFcZBromfmAcloePlqlSZzORaqDcBxFQkKfhfcKbuMeLKmARSAtWZGdlFHGNrjaaAAzkVXgzjvDiocELatZEYLgdboEibyenseiCSCTeToezRXAuliCpPvdAkFdXGzCIHWdlIEupSElgygnmNXKyjQpJLausYKBssDpbfrVGviVRRsKmBbEPkZIZTzFTFMIMhHgRhTSNcnucrNgkQrfUbZNnjailMaPjEeqKyEmxUfrnstRESMYIxuXgbJKDhkKJDdyXwluEIkpPdPQEpoVjktxMfxgmFWhwhnBVrgIpGMdrXzOBXprOBZyAMfwKhFbuTwHUSpMMHflnmOOnUrAeDgNLEwpBVqkLsStWaPFpZSIgSVjcwCHvXIOsmOgbLlhhRklOrQvqjUOYOjBIMjIgxcZZDxiSKRrgJLjjegkIOqOXtRKntpPYkEoDFztomsdjUtcDUZauELLhdQjPNNSJfZxovmvQAMOdBesduDIwspNsANccWsYOTjwDkcFFYHFGAWoFfTGdeVeHljQXkaeCIGZsGpbefoqIjwIQeMurZQDnBFaaGUuOtoJLJKiiBdHzzvdlbqGrHmHwFGLoKyQEjSkjSOhXBfPigEgWfHAOGyYMGQMxrceiovcycgKuxfFUFwhnpXjGEmqYfzcgRMwJcoLICqSCMKlXaUairxldaofTNHibDjZQeHPWefMmlkjfkYeNWdPyNWQ
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmpBinary or memory string: pbefoqIjwIQeMurZQDnBFaaGUuOt
Source: TkAngEQurH.exeBinary or memory string: \\.\VBoxGuest
Source: TkAngEQurH.exe, 00000004.00000002.1883487060.00380000.00000040.sdmpBinary or memory string: n\\.\VBoxGuest
Program exit pointsShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeAPI call chain: ExitProcess graph end nodegraph_0-39822
Queries a list of all running driversShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeSystem information queried: ModuleInformationJump to behavior
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_003988CA CheckRemoteDebuggerPresent,4_2_003988CA
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeOpen window title or class name: ollydbg
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeOpen window title or class name: windbgframeclass
Checks for debuggers (devices)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeFile opened: NTICE
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeFile opened: SICE
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeProcess queried: DebugPortJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00403B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00435CCC RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_00435CCC
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0047C304 LoadLibraryA,GetProcAddress,0_2_0047C304
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_004399F2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,4_2_004399F2
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042A364 SetUnhandledExceptionFilter,0_2_0042A364
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A395
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042A364 SetUnhandledExceptionFilter,4_2_0042A364
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_0042A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0042A395
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_1_0042A364 SetUnhandledExceptionFilter,4_1_0042A364
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeThread register set: target process: 4052Jump to behavior
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00403B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B4C
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_00404A35
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeCode function: 4_2_00464C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,4_2_00464C03
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: TkAngEQurH.exe, 00000000.00000002.1829962092.00401000.00000040.sdmp, TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000002.00000002.1879866997.01C70000.00000004.sdmp, TkAngEQurH.exe, 00000004.00000002.1884067089.00F90000.00000002.sdmpBinary or memory string: Program Manager
Source: RegAsm.exe, 00000002.00000002.1879489872.00D00000.00000002.sdmp, TkAngEQurH.exe, 00000004.00000002.1884067089.00F90000.00000002.sdmpBinary or memory string: Progman
Source: TkAngEQurH.exeBinary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpBinary or memory string: ProgMan
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpBinary or memory string: Progman
Source: RegAsm.exe, 00000002.00000002.1879784660.01C3B000.00000004.sdmpBinary or memory string: w: [-- Program Manager --]
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpBinary or memory string: Shell_traywnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0042886B cpuid 0_2_0042886B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeQueries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeQueries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\TkAngEQurH.exeQueries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeQueries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeQueries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exeQueries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_004350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004350D7
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00442230 GetUserNameW,0_2_00442230
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_0043418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0043418A
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\TkAngEQurH.exeCode function: 0_2_00404AFE GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00404AFE
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
OS version to string mapping found (often used in BOTs)Show sources
Source: TkAngEQurH.exeBinary or memory string: WIN_81
Source: TkAngEQurH.exeBinary or memory string: WIN_XP
Source: TkAngEQurH.exeBinary or memory string: WIN_XPe
Source: TkAngEQurH.exeBinary or memory string: WIN_VISTA
Source: TkAngEQurH.exeBinary or memory string: WIN_7
Source: TkAngEQurH.exeBinary or memory string: WIN_8
Source: TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

barindex
Detected Imminent RATShow sources
Source: RegAsm.exe, 00000002.00000002.1879335945.009A0000.00000004.sdmpString found in binary or memory: G:\Files\Imminent Methods\Code\Main Project\Imminent Monitor\ClientPlugin\obj\Release\ClientPlugin.pdb
Contains functionality to start a terminal serviceShow sources
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmpString found in binary or memory: net start TermService
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 763719 Sample: TkAngEQurH.exe Startdate: 18/01/2019 Architecture: WINDOWS Score: 100 21 doddyfire.dyndns.org 2->21 29 Multi AV Scanner detection for submitted file 2->29 31 Detected Imminent RAT 2->31 33 Contains functionality to start a terminal service 2->33 35 5 other signatures 2->35 7 TkAngEQurH.exe 4 2->7         started        11 TkAngEQurH.exe 2->11         started        signatures3 process4 file5 17 C:\Users\...\TkAngEQurH.exe:Zone.Identifier, ASCII 7->17 dropped 19 C:\Users\user\AppData\...\TkAngEQurH.exe, MS-DOS 7->19 dropped 37 Detected unpacking (overwrites its own PE header) 7->37 39 Query firmware table information (likely to detect VMs) 7->39 41 Binary is likely a compiled AutoIt script file 7->41 51 2 other signatures 7->51 13 RegAsm.exe 12 6 7->13         started        43 Multi AV Scanner detection for dropped file 11->43 45 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->45 47 Contains functionality to infect the boot sector 11->47 49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->49 signatures6 process7 dnsIp8 23 doddyfire.dyndns.org 144.76.215.120, 49223, 49224, 49231 HETZNER-ASDE Germany 13->23 25 www.iptrackeronline.com 13->25 27 iptrackeronline.com 45.55.57.244, 443, 49225, 49226 DIGITALOCEAN-ASN-DigitalOceanIncUS United States 13->27 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->55 signatures9 57 Detected TCP or UDP traffic on non-standard ports 23->57 59 May check the online IP address of the machine 25->59

Simulations

Behavior and APIs

TimeTypeDescription
15:22:33API Interceptor1772x Sleep call for process: TkAngEQurH.exe modified
15:24:16API Interceptor65x Sleep call for process: RegAsm.exe modified
15:24:18AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Structure.lnk

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
TkAngEQurH.exe47%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\TkAngEQurH.exe47%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLink
2.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.Gen
0.2.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.3.TkAngEQurH.exe.1b80000.0.unpack100%AviraTR/Crypt.XPACK.Gen
4.0.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.1.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.RegAsm.exe.400000.4.unpack100%AviraTR/Dropper.Gen
4.2.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.0.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
4.1.TkAngEQurH.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.Gen
2.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.Gen
4.3.TkAngEQurH.exe.1b90000.0.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.RegAsm.exe.400000.2.unpack100%AviraTR/Dropper.Gen
2.2.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen

Domains

SourceDetectionScannerLabelLink
doddyfire.dyndns.org3%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://stamen-maps.a.ssl.fastly.net/js/tile.stamen.js0%virustotalBrowse
https://www.connecticallc.com/0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
45.55.57.2441d8.docGet hashmaliciousBrowse
    Registraduria Nacional del Estado Civil -Proceso inicado.docGet hashmaliciousBrowse
      70payment $37,140.exeGet hashmaliciousBrowse
        21file1253634_Protected.exeGet hashmaliciousBrowse
          15OrderList_Inquiry.exeGet hashmaliciousBrowse
            57TP DSA database.xls.exeGet hashmaliciousBrowse
              75TTcopy_payment10000$.exeGet hashmaliciousBrowse
                Software.exeGet hashmaliciousBrowse
                  29Purchase Details Quotation.exeGet hashmaliciousBrowse
                    63purchase order.exeGet hashmaliciousBrowse
                      44swift copy.exeGet hashmaliciousBrowse
                        Registraduria Nacional del Estado Civil -Proceso inicado.docGet hashmaliciousBrowse
                          2618212_01_CARTE.docGet hashmaliciousBrowse
                            40item.exeGet hashmaliciousBrowse
                              69RENEWAL OF PROFESSIONAL INDEMNITY INSURANCE POLICY-KELVIC.pd.exeGet hashmaliciousBrowse
                                18Products List.docGet hashmaliciousBrowse
                                  15Sept PO.docGet hashmaliciousBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    iptrackeronline.comPrint Label FedEx File Number 3940594.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    Migracion colombia detalles de su Proceso pendiente.docGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    1d8.docGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    receipt.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    57TP DSA database.xls.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    29Purchase Details Quotation.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    63purchase order.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    40item.exeGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    69RENEWAL OF PROFESSIONAL INDEMNITY INSURANCE POLICY-KELVIC.pd.exeGet hashmaliciousBrowse
                                    • 45.55.57.244

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    DIGITALOCEAN-ASN-DigitalOceanIncUSindex.docGet hashmaliciousBrowse
                                    • 162.243.154.25
                                    57xibanfkphz.exeGet hashmaliciousBrowse
                                    • 159.203.103.50
                                    Rechnungs-Details # 828256704534.docGet hashmaliciousBrowse
                                    • 107.170.177.153
                                    Feedback1492612493425.apkGet hashmaliciousBrowse
                                    • 82.196.2.55
                                    5WF6uhDmCN.rtfGet hashmaliciousBrowse
                                    • 138.68.234.128
                                    tLbQJ4uFVD.exeGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    seo4ran.exeGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    Dridex_extract-1512504575.962566-HTTP-FiRYPsxjeLBitjbX.exeGet hashmaliciousBrowse
                                    • 107.170.65.224
                                    Wollin_Info.docGet hashmaliciousBrowse
                                    • 107.170.10.34
                                    HJH1-1810905115.docGet hashmaliciousBrowse
                                    • 107.170.228.217
                                    Emotet.docGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    Emotet.docGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    f8OseYMEM.exeGet hashmaliciousBrowse
                                    • 104.236.109.186
                                    Trillium_Security_MultiSploit_Tool_v6.5.2.exeGet hashmaliciousBrowse
                                    • 165.227.29.57
                                    CeYkXgnhbU.docGet hashmaliciousBrowse
                                    • 138.68.176.166
                                    Emotet.docGet hashmaliciousBrowse
                                    • 178.62.39.238
                                    Invoices Overdue.docGet hashmaliciousBrowse
                                    • 178.62.39.238
                                    Emotet21.02.docGet hashmaliciousBrowse
                                    • 178.62.39.238
                                    Dokumente vom Notar #33062192.docGet hashmaliciousBrowse
                                    • 178.62.39.238
                                    HETZNER-ASDEhttp://184.176.139.83/wp-snapshots/cr/index.php?q=ac2f87b395b55826f04871c2dedd11a6Get hashmaliciousBrowse
                                    • 136.243.94.27
                                    26ghostviewer@youtube.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    21file.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    25redacted@threatwav.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    55fil.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    11file.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    5letter.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    65redacted@threatwav.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    37pobrien@orbtec.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    51readme.comGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    index.docGet hashmaliciousBrowse
                                    • 136.243.202.133
                                    .exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    61message.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    13RdnTC5NBJm.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    32document.txt .exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    .exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    59james@youtube.exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    29.doc .exeGet hashmaliciousBrowse
                                    • 88.198.26.2
                                    24175368.exeGet hashmaliciousBrowse
                                    • 148.251.33.195
                                    a009dce0-5469-415c-8adb-28850befd97.exeGet hashmaliciousBrowse
                                    • 176.9.97.245

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    05af1f5ca1b87cc9cc9b25185115607dYour_Purchase_4396143.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    vyplatyMGM.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    Your_Purchase_4396143.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    vyplatyMGM.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    GgM4zgU80G.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    99fec9fb-7148-4d49-a01f-963099c821c6.docGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    GgM4zgU80G.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    vyplatyMGM.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    vyplatyMGM.xlsGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    invoice.docGet hashmaliciousBrowse
                                    • 45.55.57.244
                                    99fec9fb-7148-4d49-a01f-963099c821c6.docGet hashmaliciousBrowse
                                    • 45.55.57.244

                                    Dropped Files

                                    No context

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.