Windows Analysis Report
Dokument_2024-10-24_135211.exe

Overview

General Information

Sample name:	Dokument_2024-10-24_135211.exe
Analysis ID:	1541876
MD5:	b30f3ae0737adcbc77e222bcc82234d5
SHA1:	a07d1d5ff8d65a464245c692787f0c8021f76522
SHA256:	1f7658dc2eb22a07c50d65a0a32069a024f724cc412b3f820bb84b9cc9601397
Tags:	AsyncRATexeuser-lowmal3
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000002.00000002.4510073571.0000000002381000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["154.216.18.238"], "Port": "1194", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: Dokument_2024-10-24_135211.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Dokument_2024-10-24_135211.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 154.216.18.238
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 1194
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: <123456789>
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: XWorm V5.6
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: USB.exe
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: %AppData%
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: AYT.exe

Uses 32bit PE files

Source: Dokument_2024-10-24_135211.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: RegSvcs.pdb, source: AYT.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2056282001.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, Dokument_2024-10-24_135211.exe, 00000000.00000003.2063576056.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2056282001.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, Dokument_2024-10-24_135211.exe, 00000000.00000003.2063576056.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: AYT.exe.2.dr

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 154.216.18.238:1194
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 154.216.18.238:1194 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49704 -> 154.216.18.238:1194
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 154.216.18.238:1194 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 154.216.18.238:1194

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 154.216.18.238

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 154.216.18.238:1194

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: RegSvcs.exe, 00000002.00000002.4510073571.0000000002381000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00459FFF

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00456354

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0047C08E

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.4509176650.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004461ED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004364AA

Detected potential crypto function

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004045E0	0_2_004045E0
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_03D62B60	0_2_03D62B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021B4468	2_2_021B4468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021BF250	2_2_021BF250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021B1328	2_2_021B1328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021B3E71	2_2_021B3E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021B1948	2_2_021B1948

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: String function: 0040E6D0 appears 35 times

Sample file is different than original file name gathered from version info

Source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2060662430.0000000003FC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Dokument_2024-10-24_135211.exe
Source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2057188056.000000000416D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Dokument_2024-10-24_135211.exe
Source: Dokument_2024-10-24_135211.exe, 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAYT.exe4 vs Dokument_2024-10-24_135211.exe

Uses 32bit PE files

Source: Dokument_2024-10-24_135211.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.4509176650.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@0/1

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464422
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AYT.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\S7rRwTRJSkK53vKk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

File created: C:\Users\user\AppData\Local\Temp\nonagglutinant

Jump to behavior

Source: Dokument_2024-10-24_135211.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Dokument_2024-10-24_135211.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

File read: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe "C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe"
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe"
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: AYT.lnk.2.dr

LNK file: ..\..\..\..\..\AYT.exe

Source:	Binary string: RegSvcs.pdb, source: AYT.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2056282001.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, Dokument_2024-10-24_135211.exe, 00000000.00000003.2063576056.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2056282001.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, Dokument_2024-10-24_135211.exe, 00000000.00000003.2063576056.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: AYT.exe.2.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: Memory

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

PE file contains an invalid checksum

Source: Dokument_2024-10-24_135211.exe

Static PE information: real checksum: 0xa2135 should be: 0xc6e78

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004171D1 push ecx; ret

0_2_004171E4

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AYT.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004772DE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004375B0

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00444078

0_2_00444078

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

API/Special instruction interceptor: Address: 3D62784

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6698			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3135			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

API coverage: 3.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4509576676.0000000000797000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D6D0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_03D613A0 mov eax, dword ptr fs:[00000030h]	0_2_03D613A0
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_03D62A50 mov eax, dword ptr fs:[00000030h]	0_2_03D62A50
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_03D629F0 mov eax, dword ptr fs:[00000030h]	0_2_03D629F0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00426DA1

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 36F008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

0_2_0040D6D0

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004375B0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_00436431

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: Dokument_2024-10-24_135211.exe	Binary or memory string: Shell_TrayWnd
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4509176650.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4510073571.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dokument_2024-10-24_135211.exe PID: 3480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: Dokument_2024-10-24_135211.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: WIN_XP
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: WIN_XPe
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: WIN_VISTA
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: WIN_7

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4509176650.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4510073571.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dokument_2024-10-24_135211.exe PID: 3480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.18.238	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
154.216.18.238	true		unknown

AV Detection

Found malware configuration

Source: 00000002.00000002.4510073571.0000000002381000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["154.216.18.238"], "Port": "1194", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: Dokument_2024-10-24_135211.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Dokument_2024-10-24_135211.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 154.216.18.238
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 1194
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: <123456789>
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: XWorm V5.6
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: USB.exe
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: %AppData%
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: AYT.exe

Uses 32bit PE files

Source: Dokument_2024-10-24_135211.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: RegSvcs.pdb, source: AYT.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2056282001.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, Dokument_2024-10-24_135211.exe, 00000000.00000003.2063576056.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2056282001.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, Dokument_2024-10-24_135211.exe, 00000000.00000003.2063576056.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: AYT.exe.2.dr

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 154.216.18.238:1194
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 154.216.18.238:1194 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49704 -> 154.216.18.238:1194
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 154.216.18.238:1194 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 154.216.18.238:1194

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 154.216.18.238

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 154.216.18.238:1194

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: RegSvcs.exe, 00000002.00000002.4510073571.0000000002381000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00459FFF

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00456354

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

0_2_0047C08E

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.4509176650.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

0_2_004461ED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

0_2_004364AA

Detected potential crypto function

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004045E0	0_2_004045E0
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_03D62B60	0_2_03D62B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021B4468	2_2_021B4468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021BF250	2_2_021BF250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021B1328	2_2_021B1328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021B3E71	2_2_021B3E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_021B1948	2_2_021B1948

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: String function: 0040E6D0 appears 35 times

Sample file is different than original file name gathered from version info

Source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2060662430.0000000003FC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Dokument_2024-10-24_135211.exe
Source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2057188056.000000000416D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Dokument_2024-10-24_135211.exe
Source: Dokument_2024-10-24_135211.exe, 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAYT.exe4 vs Dokument_2024-10-24_135211.exe

Uses 32bit PE files

Source: Dokument_2024-10-24_135211.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.4509176650.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@0/1

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464422
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AYT.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\S7rRwTRJSkK53vKk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

File created: C:\Users\user\AppData\Local\Temp\nonagglutinant

Jump to behavior

Source: Dokument_2024-10-24_135211.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Dokument_2024-10-24_135211.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

File read: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe "C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe"
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe"
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: AYT.lnk.2.dr

LNK file: ..\..\..\..\..\AYT.exe

Source:	Binary string: RegSvcs.pdb, source: AYT.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2056282001.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, Dokument_2024-10-24_135211.exe, 00000000.00000003.2063576056.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Dokument_2024-10-24_135211.exe, 00000000.00000003.2056282001.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, Dokument_2024-10-24_135211.exe, 00000000.00000003.2063576056.0000000004040000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: AYT.exe.2.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, Messages.cs	.Net Code: Memory

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

PE file contains an invalid checksum

Source: Dokument_2024-10-24_135211.exe

Static PE information: real checksum: 0xa2135 should be: 0xc6e78

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004171D1 push ecx; ret

0_2_004171E4

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AYT.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004772DE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004375B0

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00444078

0_2_00444078

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

API/Special instruction interceptor: Address: 3D62784

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6698			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3135			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

API coverage: 3.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4509576676.0000000000797000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

0_2_0040D6D0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_03D613A0 mov eax, dword ptr fs:[00000030h]	0_2_03D613A0
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_03D62A50 mov eax, dword ptr fs:[00000030h]	0_2_03D62A50
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_03D629F0 mov eax, dword ptr fs:[00000030h]	0_2_03D629F0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

0_2_00426DA1

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 36F008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

0_2_0040D6D0

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

0_2_004375B0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_00436431

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: Dokument_2024-10-24_135211.exe	Binary or memory string: Shell_TrayWnd
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4509176650.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4510073571.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dokument_2024-10-24_135211.exe PID: 3480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: Dokument_2024-10-24_135211.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: WIN_XP
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: WIN_XPe
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: WIN_VISTA
Source: Dokument_2024-10-24_135211.exe	Binary or memory string: WIN_7

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Dokument_2024-10-24_135211.exe.1710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2065006562.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4509176650.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4510073571.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dokument_2024-10-24_135211.exe PID: 3480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\Dokument_2024-10-24_135211.exe	Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92

ID:	1541876
Product:	CloudBasic
Start time:	09:15:06
Start date:	25.10.2024
Sample:	Dokument_2024-10-24_135211.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b30f3ae0737adcbc77e222bcc82234d5
SHA1:	a07d1d5ff8d65a464245c692787f0c8021f76522
SHA256:	1f7658dc2eb22a07c50d65a0a32069a024f724cc412b3f820bb84b9cc9601397
Filetype:	Win32 Executable (generic) a (10002005/4) 95.11%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Log.tmp	ASCII text, with CRLF line terminators	2C11513C4FAB02AEDEE23EC05A2EB3CC	59177C177B2546FBD8EC7688BAD19D08D32640DE	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
C:\Users\user\AppData\Local\Temp\nonagglutinant	data	6B9B85DBA3023A02628F3AB051EAC57A	C857C9EE0A9C997F2F53209C612FCF356A7DBED4	8E6479D73F7A72ADE45E70FAEE8698C29954D195A4E5270802432BCFFE049476
C:\Users\user\AppData\Roaming\AYT.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	9D352BC46709F0CB5EC974633A0C3C94	1969771B2F022F9A86D77AC4D4D239BECDF08D07	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Oct 25 06:16:02 2024, mtime=Fri Oct 25 06:16:02 2024, atime=Fri Oct 25 06:16:02 2024, length=45984, window=hide	FA977B8DEADE79DC9EDB61F5A05C7F7C	CF29CF84EABBAD13F4A8329E7D1AFAA7E8D85DC7	2B3D64492F84B13C5CB21DB60096401E958CB416E48F6258C00B19AE55CAB845

Windows Analysis Report
Dokument_2024-10-24_135211.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report Dokument_2024-10-24_135211.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
Dokument_2024-10-24_135211.exe

Malware Threat Intel
Provided by