Windows Analysis Report
BDQfYL99b2.exe

Overview

General Information

Sample name: BDQfYL99b2.exe
renamed because original name is a hash value
Original sample name: a2dcc2e9dd81e3a5f6440ed7027a86da.exe
Analysis ID: 1467126
MD5: a2dcc2e9dd81e3a5f6440ed7027a86da
SHA1: 3518e330ef6c682445bed81d6ae4e167b003ae4b
SHA256: 3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c
Tags: 64exe
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for URL or domain
Source: bossnacarpet.com Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "bossnacarpet.com:2556:1vegetachcnc.com:2556:1", "Assigned name": "2556", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-6W1HCC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for submitted file
Source: BDQfYL99b2.exe ReversingLabs: Detection: 34%
Yara detected Remcos RAT
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 3_2_00433837
Source: BDQfYL99b2.exe, 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_b3498c3a-c

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004074FD _wcslen,CoGetObject, 3_2_004074FD
Source: unknown HTTPS traffic detected: 52.168.117.173:443 -> 192.168.2.6:54066 version: TLS 1.2
Source: BDQfYL99b2.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D56B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbean) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*F source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: System.Drawing.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb\b) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E1.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E1.tmp.dmp.6.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbu source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
Source: Binary string: System.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB41F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Users\user\Desktop\.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\BDQfYL99b2.PDB@ source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.pdbW source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdbp source: WER4E1.tmp.dmp.6.dr
Source: Binary string: mscorlib.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb0. source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
Source: Binary string: System.Drawing.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
Source: Binary string: izpC:\Users\user\Desktop\BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 3_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 3_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 3_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 3_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0044E879 FindFirstFileExA, 3_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 3_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040783C FindFirstFileW,FindNextFileW, 3_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 3_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 3_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 3_2_0040BD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 3_2_00407C97

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: bossnacarpet.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 173.255.204.62:2556
Source: global traffic TCP traffic: 192.168.2.6:49713 -> 107.173.4.18:2556
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.168.117.173 52.168.117.173
Source: Joe Sandbox View IP Address: 173.255.204.62 173.255.204.62
Source: Joe Sandbox View IP Address: 107.173.4.18 107.173.4.18
Source: Joe Sandbox View IP Address: 107.173.4.18 107.173.4.18
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 3_2_0041B380
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: bossnacarpet.com
Source: global traffic DNS traffic detected: DNS query: vegetachcnc.com
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: unknown HTTP traffic detected: POST /Telemetry.Request HTTP/1.1Connection: Keep-AliveUser-Agent: MSDWMSA_DeviceTicket: t=EwCwAlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAQ7UsXLAS98HwRFo3wk0kdDuCyropDm7LcPUtYsXLo4HpHhm6MIqJTtAjlDQqRL0Q+F02xOMDg/t8gKZ0IFYAzLzMtk2bIgmmoMql8D/EALKpyBW4s5BLj2CEjNdjXTr/8aOvbHjmD7bxHla+4WffRqMlPJQazJxFHiw49AkDEzb/YqsBeEkMN3ZM7BNvzCSswFGLvnGqDNYclbAKUiGZ9AvRmILxY5JyMfa7tbWcqVafb6IxEnu90hTizP9htXZf1SlOzFT1CPeGfA78vKn4DFI48DCjyZUV7eGbKwusTlt2WtA6wdSUNOsxJcJAR2bpXpRuU2RhlLpWggzThddKaUDZgAACPWcP8PJUP0sgAEb401qTfgzav13/8m32w4Ohl2DRLF7B7r37jErtHj4ZexGVQMoudN1cGHqKrtgEFl2b0a8izrE5UhSkhREv+WJeHANYlZdedzhmtNhpw3JLw0CAvDpCkoEf20dlKhDXIp1/JeaeNo/i9pYOVxWK2GILWr8wV5kQk8eqtcaQ1mTyhpsv3MXJp/dMP+hDQBsmCJrN4AJ4ucDZ8X0pfjPDV8sxbr4K6OR4nF0WM+FRqaRQk71h2uPxik5AzzHzQJZFC2RYnAzYOpeMjzyrCMkj6GhLa4C/x/7PkgL7b6XsHrCIUSVPd2TU1x+ikS7jECZhrw9G0kAhSr6EkIDQ/B1gbWhm98fRHD7Zg6ienQpkTZq53+Cjcpvs6yviZSD/PJxG1nPmBu5W9ncXUfws+UVPeW4G7R5qGpctSr7t5oaIrd6SKoE8TLHOVka8LZ9CfnoO31zM2incLQRjoMO6nBAVWG14UGqJ+thPkOh+ujVQ3ydrJP1BLlQPmtred7bmNWean61AQ==&p=Content-Length: 4828Host: umwatson.events.data.microsoft.com
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp.
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/
Source: BDQfYL99b2.exe, 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpG
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpal
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpc
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpl
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpr&
Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpr2
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54066
Source: unknown Network traffic detected: HTTP traffic on port 54066 -> 443
Source: unknown HTTPS traffic detected: 52.168.117.173:443 -> 192.168.2.6:54066 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 3_2_0040A2B8
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 3_2_0040B70E
Contains functionality to modify clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004168C1
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 3_2_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 3_2_0040A3E0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041C9E2 SystemParametersInfoW, 3_2_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 3_2_004167B4
Detected potential crypto function
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD34714D30 0_2_00007FFD34714D30
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD34701500 0_2_00007FFD34701500
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD3470BDE9 0_2_00007FFD3470BDE9
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD34708EF8 0_2_00007FFD34708EF8
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD34703B18 0_2_00007FFD34703B18
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD34701800 0_2_00007FFD34701800
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD347043EC 0_2_00007FFD347043EC
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD347014FD 0_2_00007FFD347014FD
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD34714D89 0_2_00007FFD34714D89
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD34708F3F 0_2_00007FFD34708F3F
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD3471079A 0_2_00007FFD3471079A
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD347E00FB 0_2_00007FFD347E00FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0043E0CC 3_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041F0FA 3_2_0041F0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00454159 3_2_00454159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00438168 3_2_00438168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004461F0 3_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0043E2FB 3_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0045332B 3_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0042739D 3_2_0042739D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004374E6 3_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0043E558 3_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00438770 3_2_00438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004378FE 3_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00433946 3_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0044D9C9 3_2_0044D9C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00427A46 3_2_00427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041DB62 3_2_0041DB62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00427BAF 3_2_00427BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00437D33 3_2_00437D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00435E5E 3_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00426E0E 3_2_00426E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0043DE9D 3_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00413FCA 3_2_00413FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00436FEA 3_2_00436FEA
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: String function: 00434770 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: String function: 00401E65 appears 34 times
One or more processes crash
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1064
PE file does not import any functions
Source: BDQfYL99b2.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: BDQfYL99b2.exe, 00000000.00000000.2104241148.00000205BB1EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAtakacipaxelubigetoD vs BDQfYL99b2.exe
Source: BDQfYL99b2.exe, 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOtodinedexop: vs BDQfYL99b2.exe
Source: BDQfYL99b2.exe Binary or memory string: OriginalFilenameAtakacipaxelubigetoD vs BDQfYL99b2.exe
Yara signature match
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: BDQfYL99b2.exe, ----------.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbu
Source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB41F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/6@3/4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 3_2_00417952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 3_2_0040F474
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 3_2_0041B4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0041AA4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Mutant created: \Sessions\1\BaseNamedObjects\chrome-6W1HCC
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\aef5ed17-6ce2-43e8-95e4-1841ea2751b4 Jump to behavior
Source: BDQfYL99b2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BDQfYL99b2.exe Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BDQfYL99b2.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\BDQfYL99b2.exe File read: C:\Users\user\Desktop\BDQfYL99b2.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BDQfYL99b2.exe "C:\Users\user\Desktop\BDQfYL99b2.exe"
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1064
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: BDQfYL99b2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BDQfYL99b2.exe Static file information: File size 3397673 > 1048576
Source: BDQfYL99b2.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: BDQfYL99b2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D56B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbean) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*F source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: System.Drawing.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb\b) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E1.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E1.tmp.dmp.6.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbu source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
Source: Binary string: System.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB41F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Users\user\Desktop\.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\BDQfYL99b2.PDB@ source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.pdbW source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdbp source: WER4E1.tmp.dmp.6.dr
Source: Binary string: mscorlib.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb0. source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
Source: Binary string: System.Drawing.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER4E1.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
Source: Binary string: izpC:\Users\user\Desktop\BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041CB50
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD347059D5 push ds; retn 0008h 0_2_00007FFD347059D6
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Code function: 0_2_00007FFD347E00FB push esp; retf 4810h 0_2_00007FFD347E0312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00457106 push ecx; ret 3_2_00457119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0045B11A push esp; ret 3_2_0045B141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0045E54D push esi; ret 3_2_0045E556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00457A28 push eax; ret 3_2_00457A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00434E56 push ecx; ret 3_2_00434E69
Contains functionality to download and launch executables
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 3_2_00406EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0041AA4A
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041CB50
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
Delayed program exit found
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040F7A7 Sleep,ExitProcess, 3_2_0040F7A7
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory allocated: 205BB530000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory allocated: 205D4DD0000 memory reserve | memory write watch Jump to behavior
Contains functionality to enumerate running services
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 3_2_0041A748
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Window / User API: threadDelayed 9677 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe TID: 4208 Thread sleep count: 315 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe TID: 4208 Thread sleep time: -945000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe TID: 4208 Thread sleep count: 9677 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe TID: 4208 Thread sleep time: -29031000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 3_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 3_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 3_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 3_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0044E879 FindFirstFileExA, 3_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 3_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040783C FindFirstFileW,FindNextFileW, 3_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 3_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 3_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 3_2_0040BD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 3_2_00407C97
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: aspnet_wp.exe, 00000003.00000003.2173688836.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW{
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: aspnet_wp.exe, 00000003.00000003.2173688836.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004349F9
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041CB50
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h] 3_2_004432B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00412077 GetProcessHeap,HeapFree, 3_2_00412077
Enables debug privileges
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00434B47 SetUnhandledExceptionFilter, 3_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00434FDC
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: BDQfYL99b2.exe, ----------.cs Reference to suspicious API methods: GetProcAddress(_EC76_EE96_EC7C_EEF9_EE2B_EC8E_EE75_08F2_06FE_ECA8, _065F_EE5D_ECA9_08E6_08FF_EE72)
Source: BDQfYL99b2.exe, ----------.cs Reference to suspicious API methods: VirtualProtect(procAddress, (uint)_08EA_ECA7_EEB7_08D8_0610_EE34.Length, 64u, out var _EE22_EE28_ECBC_EE75_EE52_060F_EE7E_0654_EEC0_08DB_0618_08DE_ECBF)
Source: BDQfYL99b2.exe, ----------.cs Reference to suspicious API methods: LoadLibrary(_EE16_EE09_EE00_EE19_0E7C_EE4F_EE1C_060B_EEC8_EE24_EC73_EE87_EC73_EE3F_0E6B(_EC8E_EE42_ECBE_EECA_EECE_EE15_EE77_EE88_06DC_0EBB_ECA9_EE7E_EE24_EE50._EE53_EE0A))
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 459000 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 471000 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 477000 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 478000 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47E000 Jump to behavior
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4BF4008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 3_2_004120F7
Contains functionality to simulate mouse events
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00419627 mouse_event, 3_2_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" Jump to behavior
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager&
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managero
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerj
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager2
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager`
Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F07000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00434C52 cpuid 3_2_00434C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: GetLocaleInfoA, 3_2_0040F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: EnumSystemLocalesW, 3_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_004520C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: GetLocaleInfoW, 3_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: EnumSystemLocalesW, 3_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: GetLocaleInfoW, 3_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: GetLocaleInfoW, 3_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: EnumSystemLocalesW, 3_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: EnumSystemLocalesW, 3_2_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Queries volume information: C:\Users\user\Desktop\BDQfYL99b2.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00404F51 GetLocalTime,CreateEventA,CreateThread, 3_2_00404F51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_0041B60D GetComputerNameExW,GetUserNameW, 3_2_0041B60D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 3_2_00449190
Source: C:\Users\user\Desktop\BDQfYL99b2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 3_2_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 3_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: \key3.db 3_2_0040BB30

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Code function: cmd.exe 3_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467126 Sample: BDQfYL99b2.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 21 vegetachcnc.com 2->21 23 bossnacarpet.com 2->23 25 geoplugin.net 2->25 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 7 other signatures 2->41 7 BDQfYL99b2.exe 3 2->7         started        signatures3 process4 signatures5 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->43 45 Writes to foreign memory regions 7->45 47 Allocates memory in foreign processes 7->47 49 Injects a PE file into a foreign processes 7->49 10 aspnet_wp.exe 3 13 7->10         started        14 WerFault.exe 22 16 7->14         started        17 conhost.exe 7->17         started        process6 dnsIp7 27 bossnacarpet.com 173.255.204.62, 2556, 49710 LINODE-APLinodeLLCUS United States 10->27 29 vegetachcnc.com 107.173.4.18, 2556, 49713 AS-COLOCROSSINGUS United States 10->29 31 geoplugin.net 178.237.33.50, 54068, 80 ATOM86-ASATOM86NL Netherlands 10->31 51 Contains functionality to bypass UAC (CMSTPLUA) 10->51 53 Contains functionalty to change the wallpaper 10->53 55 Contains functionality to steal Chrome passwords or cookies 10->55 57 3 other signatures 10->57 33 52.168.117.173, 443, 54066 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->33 19 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->19 dropped file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.168.117.173
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
173.255.204.62
 bossnacarpet.com United States
63949 LINODE-APLinodeLLCUS true
107.173.4.18
 vegetachcnc.com United States
36352 AS-COLOCROSSINGUS true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
vegetachcnc.com 107.173.4.18 true
bossnacarpet.com 173.255.204.62 true
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown
bossnacarpet.com true
  • Avira URL Cloud: malware
 unknown